Package Instance

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034

reference_url

https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06

reference_url

https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291

reference_url

https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060

reference_url

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-0447

reference_url	http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/46291

reference_url	http://www.securitytracker.com/id?1025060
reference_id
reference_type
scores
url	http://www.securitytracker.com/id?1025060

reference_url	http://www.vupen.com/english/advisories/2011/0587
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2011/0587

reference_url	http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2011/0877

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
reference_id	614864
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::

reference_url

reference_id

CVE-2011-0447

reference_type

scores

value	6.8
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:P/I:P/A:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-0447

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml

reference_id

CVE-2011-0447.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml

reference_url

https://github.com/advisories/GHSA-24fg-p96v-hxh8

reference_id

GHSA-24fg-p96v-hxh8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-24fg-p96v-hxh8

reference_url	https://security.gentoo.org/glsa/201412-28
reference_id	GLSA-201412-28
reference_type
scores
url	https://security.gentoo.org/glsa/201412-28

fixed_packages

aliases

CVE-2011-0447, GHSA-24fg-p96v-hxh8

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-49pq-vg95-jkh2

url VCID-63gy-6njy-kbd8

vulnerability_id VCID-63gy-6njy-kbd8

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_id

reference_type

scores

value	0.02639
scoring_system	epss
scoring_elements	0.85729
published_at	2026-04-16T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85707
published_at	2026-04-13T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85711
published_at	2026-04-12T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85715
published_at	2026-04-11T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85701
published_at	2026-04-09T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85689
published_at	2026-04-08T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85646
published_at	2026-04-02T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.8567
published_at	2026-04-07T12:55:00Z

value	0.02639
scoring_system	epss
scoring_elements	0.85663
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id	2164800
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800

reference_url

reference_id

CVE-2023-22792

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url

https://github.com/advisories/GHSA-p84v-45xj-wwqj

reference_id

GHSA-p84v-45xj-wwqj

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p84v-45xj-wwqj

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_id

ntap-20240202-0007

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@5.2.8

purl pkg:gem/actionpack@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8

url	pkg:gem/actionpack@5.2.8.15
purl	pkg:gem/actionpack@5.2.8.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8.15

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bh7-drnb-7ygg

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8

url

VCID-6j55-bstz-yybj

vulnerability_id

VCID-6j55-bstz-yybj

summary

High severity vulnerability that affects actionpack
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.

references

reference_url

http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-0449

reference_id

reference_type

scores

value	0.00555
scoring_system	epss
scoring_elements	0.68141
published_at	2026-04-16T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68064
published_at	2026-04-02T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68083
published_at	2026-04-04T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68062
published_at	2026-04-07T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68113
published_at	2026-04-08T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68128
published_at	2026-04-09T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68152
published_at	2026-04-11T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68138
published_at	2026-04-12T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68105
published_at	2026-04-13T12:55:00Z

value	0.00555
scoring_system	epss
scoring_elements	0.68042
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-0449

reference_url	http://secunia.com/advisories/43278
reference_id
reference_type
scores
url	http://secunia.com/advisories/43278

reference_url	http://securitytracker.com/id?1025061
reference_id
reference_type
scores
url	http://securitytracker.com/id?1025061

reference_url

https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b

reference_url

https://github.com/rails/rails/tree/main/actionpack

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/tree/main/actionpack

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml

reference_url

https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061

reference_url

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

reference_url	http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2011/0877

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-0449

reference_id

CVE-2011-0449

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-0449

reference_url

https://github.com/advisories/GHSA-4ww3-3rxj-8v6q

reference_id

GHSA-4ww3-3rxj-8v6q

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4ww3-3rxj-8v6q

reference_url	https://security.gentoo.org/glsa/201412-28
reference_id	GLSA-201412-28
reference_type
scores
url	https://security.gentoo.org/glsa/201412-28

fixed_packages

aliases

CVE-2011-0449, GHSA-4ww3-3rxj-8v6q

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-6j55-bstz-yybj

url

VCID-7f5r-9h1g-nuch

vulnerability_id

VCID-7f5r-9h1g-nuch

summary

Exposure of Sensitive Information to an Unauthorized Actor
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2009-3086

reference_id

reference_type

scores

value	0.00556
scoring_system	epss
scoring_elements	0.68185
published_at	2026-04-16T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68147
published_at	2026-04-13T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.6818
published_at	2026-04-12T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68194
published_at	2026-04-11T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68169
published_at	2026-04-09T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68154
published_at	2026-04-08T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68102
published_at	2026-04-07T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68125
published_at	2026-04-04T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68107
published_at	2026-04-02T12:55:00Z

value	0.00556
scoring_system	epss
scoring_elements	0.68084
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2009-3086

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086

reference_url	http://secunia.com/advisories/36600
reference_id
reference_type
scores
url	http://secunia.com/advisories/36600

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0

reference_url

https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978

reference_url

https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml

reference_url

https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544

reference_url

https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600

reference_url

https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427

reference_url

http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

reference_url

http://www.debian.org/security/2011/dsa-2260

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.debian.org/security/2011/dsa-2260

reference_url	http://www.securityfocus.com/bid/37427
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/37427

reference_url	http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2009/2544

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id	545063
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2009-3086

reference_id

CVE-2009-3086

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2009-3086

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml

reference_id

CVE-2009-3086.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml

reference_url

https://github.com/advisories/GHSA-fg9w-g6m4-557j

reference_id

GHSA-fg9w-g6m4-557j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fg9w-g6m4-557j

reference_url	https://security.gentoo.org/glsa/200912-02
reference_id	GLSA-200912-02
reference_type
scores
url	https://security.gentoo.org/glsa/200912-02

fixed_packages

aliases

CVE-2009-3086, GHSA-fg9w-g6m4-557j

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-7f5r-9h1g-nuch

url VCID-a6sp-18av-wya6

vulnerability_id VCID-a6sp-18av-wya6

summary

Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 5.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8164

reference_id

reference_type

scores

value	0.07389
scoring_system	epss
scoring_elements	0.91752
published_at	2026-04-16T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.9169
published_at	2026-04-01T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91698
published_at	2026-04-02T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91703
published_at	2026-04-04T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91712
published_at	2026-04-07T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91724
published_at	2026-04-08T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91731
published_at	2026-04-09T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91734
published_at	2026-04-11T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91736
published_at	2026-04-12T12:55:00Z

value	0.07389
scoring_system	epss
scoring_elements	0.91732
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

reference_url

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY

reference_url

https://hackerone.com/reports/292797

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/292797

reference_url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8164

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8164

reference_url

https://www.debian.org/security/2020/dsa-4766

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2020/dsa-4766

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1842634
reference_id	1842634
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1842634

reference_url

https://github.com/advisories/GHSA-8727-m6gj-mc37

reference_id

GHSA-8727-m6gj-mc37

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8727-m6gj-mc37

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/actionpack@5.2.4.3

purl pkg:gem/actionpack@5.2.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1xgz-hwng-n3eq

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-gjey-bqtd-kqa1

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-jwun-grgg-2uet

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

vulnerability	VCID-wg3a-j2dp-ayh4

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.3

url pkg:gem/actionpack@6.0.3.1

purl pkg:gem/actionpack@6.0.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-12x8-jxdf-jqdz

vulnerability	VCID-1bxs-yghe-cyck

vulnerability	VCID-1x8k-t8mr-3fgp

vulnerability	VCID-1xgz-hwng-n3eq

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-gjey-bqtd-kqa1

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-jwun-grgg-2uet

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

vulnerability	VCID-wg3a-j2dp-ayh4

vulnerability	VCID-wyy6-h8bq-vyde

vulnerability	VCID-zy7d-3db6-sydw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1

aliases CVE-2020-8164, GHSA-8727-m6gj-mc37

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6sp-18av-wya6

url

VCID-cdnw-t8n1-23ep

vulnerability_id

VCID-cdnw-t8n1-23ep

summary

Improper Input Validation
The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

references

reference_url	http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html
reference_id
reference_type
scores
url	http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-3187

reference_id

reference_type

scores

value	0.09049
scoring_system	epss
scoring_elements	0.92606
published_at	2026-04-01T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.92653
published_at	2026-04-16T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.9264
published_at	2026-04-13T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.92636
published_at	2026-04-09T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.9263
published_at	2026-04-08T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.92619
published_at	2026-04-07T12:55:00Z

value	0.09049
scoring_system	epss
scoring_elements	0.92612
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-3187

reference_url

https://bugzilla.novell.com/show_bug.cgi?id=673010

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.novell.com/show_bug.cgi?id=673010

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3187.yml

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3187.yml

reference_url

https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html

reference_url

http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html

reference_url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-3187

reference_id

CVE-2011-3187

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-3187

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/35352.rb
reference_id	CVE-2011-3187;OSVDB-73733
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/35352.rb

reference_url	https://www.securityfocus.com/bid/46423/info
reference_id	CVE-2011-3187;OSVDB-73733
reference_type	exploit
scores
url	https://www.securityfocus.com/bid/46423/info

reference_url

https://github.com/advisories/GHSA-3vfw-7rcp-3xgm

reference_id

GHSA-3vfw-7rcp-3xgm

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3vfw-7rcp-3xgm

fixed_packages

aliases

CVE-2011-3187, GHSA-3vfw-7rcp-3xgm

risk_score

10.0

exploitability

2.0

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-cdnw-t8n1-23ep

url

VCID-cnqr-6e98-5kgk

vulnerability_id

VCID-cnqr-6e98-5kgk

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.

references

reference_url

http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-0446

reference_id

reference_type

scores

value	0.0067
scoring_system	epss
scoring_elements	0.71366
published_at	2026-04-16T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71274
published_at	2026-04-07T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71282
published_at	2026-04-02T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.713
published_at	2026-04-04T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71316
published_at	2026-04-08T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71329
published_at	2026-04-09T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71352
published_at	2026-04-11T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.71337
published_at	2026-04-12T12:55:00Z

value	0.0067
scoring_system	epss
scoring_elements	0.7132
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-0446

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446

reference_url	http://secunia.com/advisories/43274
reference_id
reference_type
scores
url	http://secunia.com/advisories/43274

reference_url	http://secunia.com/advisories/43666
reference_id
reference_type
scores
url	http://secunia.com/advisories/43666

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217

reference_url

https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2

reference_url

https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ

reference_url

https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274

reference_url

https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666

reference_url

https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291

reference_url

https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-0446

reference_url	http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/46291

reference_url	http://www.securitytracker.com/id?1025064
reference_id
reference_type
scores
url	http://www.securitytracker.com/id?1025064

reference_url	http://www.vupen.com/english/advisories/2011/0587
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2011/0587

reference_url	http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2011/0877

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
reference_id	614864
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc1::::::
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.0:rc1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc1::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.0:rc2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.0:rc2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.4:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.0.4:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.0.4:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.1.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.2.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta3::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:beta4::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.0:rc2::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.1:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.2:pre::::::

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.3:::::::*

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_id	cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:3.0.4:rc1::::::

reference_url

reference_id

CVE-2011-0446

reference_type

scores

value	4.3
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:N/I:P/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-0446

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml

reference_id

CVE-2011-0446.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml

reference_id

CVE-2011-0446.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml

reference_url

https://github.com/advisories/GHSA-75w6-p6mg-vh8j

reference_id

GHSA-75w6-p6mg-vh8j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-75w6-p6mg-vh8j

reference_url	https://security.gentoo.org/glsa/201412-28
reference_id	GLSA-201412-28
reference_type
scores
url	https://security.gentoo.org/glsa/201412-28

fixed_packages

aliases

CVE-2011-0446, GHSA-75w6-p6mg-vh8j

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-cnqr-6e98-5kgk

url VCID-dd9p-x7k3-37ea

vulnerability_id VCID-dd9p-x7k3-37ea

summary

Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_id

reference_type

scores

value	0.00224
scoring_system	epss
scoring_elements	0.45215
published_at	2026-04-16T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45164
published_at	2026-04-13T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45162
published_at	2026-04-12T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45194
published_at	2026-04-11T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45174
published_at	2026-04-09T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45173
published_at	2026-04-08T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45177
published_at	2026-04-04T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.4512
published_at	2026-04-07T12:55:00Z

value	0.00224
scoring_system	epss
scoring_elements	0.45155
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-28362

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362

reference_url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3
scoring_elements

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_url

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441

reference_url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_id

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5

reference_url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23

reference_url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_id

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250502-0009

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id	1051058
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id	2217785
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2217785

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_id

CVE-2023-28362

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28362

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_id

CVE-2023-28362.YML

reference_type

scores

value	4.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

reference_url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_id

GHSA-4g8v-vg43-wpgf

reference_type

scores

value	4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/

url

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

reference_url	https://access.redhat.com/errata/RHSA-2023:7851
reference_id	RHSA-2023:7851
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7851

fixed_packages

url pkg:gem/actionpack@6.1.7.4

purl pkg:gem/actionpack@6.1.7.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.4

url pkg:gem/actionpack@7.0.5.1

purl pkg:gem/actionpack@7.0.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bh7-drnb-7ygg

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.5.1

aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dd9p-x7k3-37ea

url VCID-ehbj-aezy-d7h4

vulnerability_id VCID-ehbj-aezy-d7h4

summary

Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected:  >= 7.1.0, < 7.1.3.1
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.1

Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability.  All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 7-1-accept-redox.patch - Patch for 7.1 series

Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_id

reference_type

scores

value	0.03542
scoring_system	epss
scoring_elements	0.87692
published_at	2026-04-16T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87677
published_at	2026-04-13T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.8768
published_at	2026-04-12T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87685
published_at	2026-04-11T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87632
published_at	2026-04-02T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87647
published_at	2026-04-07T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87645
published_at	2026-04-04T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87674
published_at	2026-04-09T12:55:00Z

value	0.03542
scoring_system	epss
scoring_elements	0.87667
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26142

reference_url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

reference_url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324
reference_id	2266324
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2266324

reference_url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_id

GHSA-jjhx-jhvp-74wq

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jjhx-jhvp-74wq

reference_url

https://security.netapp.com/advisory/ntap-20240503-0003/

reference_id

ntap-20240503-0003

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/

url

https://security.netapp.com/advisory/ntap-20240503-0003/

fixed_packages

url pkg:gem/actionpack@7.1.3.1

purl pkg:gem/actionpack@7.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.3.1

aliases CVE-2024-26142, GHSA-jjhx-jhvp-74wq

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ehbj-aezy-d7h4

url VCID-g3rk-djae-pkeh

vulnerability_id VCID-g3rk-djae-pkeh

summary

Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_id

reference_type

scores

value	0.00122
scoring_system	epss
scoring_elements	0.31424
published_at	2026-04-02T12:55:00Z

value	0.00122
scoring_system	epss
scoring_elements	0.31466
published_at	2026-04-04T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40871
published_at	2026-04-12T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40906
published_at	2026-04-11T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40834
published_at	2026-04-07T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.4089
published_at	2026-04-09T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40883
published_at	2026-04-08T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40895
published_at	2026-04-16T12:55:00Z

value	0.0019
scoring_system	epss
scoring_elements	0.40852
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-54133

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133

reference_url

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49

reference_url

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49

reference_url

https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a

reference_url

https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542

reference_url

https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d

reference_url

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

reference_id

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/

url

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-54133

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-54133

reference_url

https://security.netapp.com/advisory/ntap-20250306-0010

reference_id

reference_type

scores

value	2.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250306-0010

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id	1089755
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id	2331619
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2331619

reference_url

https://github.com/advisories/GHSA-vfm5-rmrh-j26v

reference_id

GHSA-vfm5-rmrh-j26v

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vfm5-rmrh-j26v

fixed_packages

url	pkg:gem/actionpack@7.0.8.7
purl	pkg:gem/actionpack@7.0.8.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url	pkg:gem/actionpack@7.1.5.1
purl	pkg:gem/actionpack@7.1.5.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url	pkg:gem/actionpack@7.2.2.1
purl	pkg:gem/actionpack@7.2.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

url	pkg:gem/actionpack@8.0.0.1
purl	pkg:gem/actionpack@8.0.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1

aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v

risk_score 1.9

exploitability 0.5

weighted_severity 3.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g3rk-djae-pkeh

url

VCID-hmp2-rmzv-wkhg

vulnerability_id

VCID-hmp2-rmzv-wkhg

summary

Improper Input Validation
The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."

references

reference_url

http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-2929

reference_id

reference_type

scores

value	0.00814
scoring_system	epss
scoring_elements	0.74282
published_at	2026-04-12T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74301
published_at	2026-04-11T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.7428
published_at	2026-04-09T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74259
published_at	2026-04-04T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74232
published_at	2026-04-07T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74228
published_at	2026-04-01T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74265
published_at	2026-04-08T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74311
published_at	2026-04-16T12:55:00Z

value	0.00814
scoring_system	epss
scoring_elements	0.74274
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-2929

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=731432

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=731432

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml

reference_url

https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_url

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-2929

reference_id

CVE-2011-2929

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-2929

reference_url

https://github.com/advisories/GHSA-r7q2-5gqg-6c7q

reference_id

GHSA-r7q2-5gqg-6c7q

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r7q2-5gqg-6c7q

reference_url	https://security.gentoo.org/glsa/201412-28
reference_id	GLSA-201412-28
reference_type
scores
url	https://security.gentoo.org/glsa/201412-28

fixed_packages

aliases

CVE-2011-2929, GHSA-r7q2-5gqg-6c7q

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-hmp2-rmzv-wkhg

url VCID-hppf-a715-r7b2

vulnerability_id VCID-hppf-a715-r7b2

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_id

reference_type

scores

value	0.01523
scoring_system	epss
scoring_elements	0.81303
published_at	2026-04-16T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.8121
published_at	2026-04-02T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81234
published_at	2026-04-07T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81262
published_at	2026-04-08T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81267
published_at	2026-04-09T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81288
published_at	2026-04-11T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81274
published_at	2026-04-12T12:55:00Z

value	0.01523
scoring_system	epss
scoring_elements	0.81266
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id	2164799
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_id

CVE-2023-22795

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_url

https://github.com/advisories/GHSA-8xww-x3g3-6jcv

reference_id

GHSA-8xww-x3g3-6jcv

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8xww-x3g3-6jcv

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/actionpack@5.2.8

purl pkg:gem/actionpack@5.2.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.8

url pkg:gem/actionpack@6.1.7.1

purl pkg:gem/actionpack@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.1

url pkg:gem/actionpack@7.0.4.1

purl pkg:gem/actionpack@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bh7-drnb-7ygg

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.4.1

aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2

url

VCID-j24x-nhsb-yug6

vulnerability_id

VCID-j24x-nhsb-yug6

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.

references

reference_url

http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html

reference_url

http://openwall.com/lists/oss-security/2011/06/09/2

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2011/06/09/2

reference_url

http://openwall.com/lists/oss-security/2011/06/13/9

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2011/06/13/9

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-2197

reference_id

reference_type

scores

value	0.00442
scoring_system	epss
scoring_elements	0.63314
published_at	2026-04-16T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.6319
published_at	2026-04-01T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.63249
published_at	2026-04-02T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.63278
published_at	2026-04-13T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.63243
published_at	2026-04-07T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.63295
published_at	2026-04-08T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.63313
published_at	2026-04-09T12:55:00Z

value	0.00442
scoring_system	epss
scoring_elements	0.6333
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-2197

reference_url	http://secunia.com/advisories/44789
reference_id
reference_type
scores
url	http://secunia.com/advisories/44789

reference_url

https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd

reference_url

https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da

reference_url

http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-2197

reference_id

CVE-2011-2197

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-2197

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml

reference_id

CVE-2011-2197.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml

reference_url

https://github.com/advisories/GHSA-v9v4-7jp6-8c73

reference_id

GHSA-v9v4-7jp6-8c73

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v9v4-7jp6-8c73

fixed_packages

aliases

CVE-2011-2197, GHSA-v9v4-7jp6-8c73

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-j24x-nhsb-yug6

url VCID-jwun-grgg-2uet

vulnerability_id VCID-jwun-grgg-2uet

summary

Exposure of information in Action Pack
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23634.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23633

reference_id

reference_type

scores

value	0.00367
scoring_system	epss
scoring_elements	0.58669
published_at	2026-04-09T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58687
published_at	2026-04-11T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58648
published_at	2026-04-13T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.5868
published_at	2026-04-16T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58667
published_at	2026-04-12T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58623
published_at	2026-04-02T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.5861
published_at	2026-04-07T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58643
published_at	2026-04-04T12:55:00Z

value	0.00367
scoring_system	epss
scoring_elements	0.58662
published_at	2026-04-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23633

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23634

reference_id

reference_type

scores

value	0.00441
scoring_system	epss
scoring_elements	0.63267
published_at	2026-04-09T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.6327
published_at	2026-04-16T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.63233
published_at	2026-04-13T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.63269
published_at	2026-04-12T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.63284
published_at	2026-04-11T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.6325
published_at	2026-04-08T12:55:00Z

value	0.00441
scoring_system	epss
scoring_elements	0.63198
published_at	2026-04-07T12:55:00Z

value	0.00453
scoring_system	epss
scoring_elements	0.63789
published_at	2026-04-04T12:55:00Z

value	0.00453
scoring_system	epss
scoring_elements	0.63763
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23634

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23634

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/puma/puma

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/puma/puma

reference_url

https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1

reference_url

https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

reference_url

https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/

reference_url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_url

https://security.gentoo.org/glsa/202208-28

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.gentoo.org/glsa/202208-28

reference_url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_url	https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240119-0013/

reference_url

https://www.debian.org/security/2022/dsa-5146

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2022/dsa-5146

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id	1005389
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391
reference_id	1005391
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005391

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2054211
reference_id	2054211
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2054211

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id	2063149
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149

reference_url

https://security.archlinux.org/AVG-2764

reference_id

AVG-2764

reference_type

scores

value	High
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2764

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_id

CVE-2022-23633

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23634

reference_id

CVE-2022-23634

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23634

reference_url

https://github.com/advisories/GHSA-rmj8-8hhh-gv5h

reference_id

GHSA-rmj8-8hhh-gv5h

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-rmj8-8hhh-gv5h

reference_url

https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

reference_id

GHSA-rmj8-8hhh-gv5h

reference_type

scores

value	8.0
scoring_system	cvssv3
scoring_elements

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

reference_url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_url	https://access.redhat.com/errata/RHSA-2022:5498
reference_id	RHSA-2022:5498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5498

reference_url	https://usn.ubuntu.com/6682-1/
reference_id	USN-6682-1
reference_type
scores
url	https://usn.ubuntu.com/6682-1/

fixed_packages

url pkg:gem/actionpack@5.2.6.2

purl pkg:gem/actionpack@5.2.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6.2

url pkg:gem/actionpack@6.0.0.beta1

purl pkg:gem/actionpack@6.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1xgz-hwng-n3eq

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.0.beta1

url pkg:gem/actionpack@6.0.4.6

purl pkg:gem/actionpack@6.0.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.6

url pkg:gem/actionpack@6.1.0.rc1

purl pkg:gem/actionpack@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.0.rc1

url pkg:gem/actionpack@6.1.4.6

purl pkg:gem/actionpack@6.1.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.4.6

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.2.2

purl pkg:gem/actionpack@7.0.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bh7-drnb-7ygg

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-6tty-dbwx-rbgx

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.2

aliases CVE-2022-23633, CVE-2022-23634, GHSA-rmj8-8hhh-gv5h, GHSA-wh98-p28r-vrc9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jwun-grgg-2uet

url

VCID-knsd-pv15-tydx

vulnerability_id

VCID-knsd-pv15-tydx

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.

references

reference_url

http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-2931

reference_id

reference_type

scores

value	0.00813
scoring_system	epss
scoring_elements	0.74293
published_at	2026-04-16T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74208
published_at	2026-04-01T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74214
published_at	2026-04-02T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.7424
published_at	2026-04-04T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74213
published_at	2026-04-07T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74246
published_at	2026-04-08T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.7426
published_at	2026-04-09T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74282
published_at	2026-04-11T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74263
published_at	2026-04-12T12:55:00Z

value	0.00813
scoring_system	epss
scoring_elements	0.74256
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-2931

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=731436

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=731436

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931

reference_url	http://secunia.com/advisories/45921
reference_id
reference_type
scores
url	http://secunia.com/advisories/45921

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml

reference_url

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

reference_url

http://www.debian.org/security/2011/dsa-2301

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.debian.org/security/2011/dsa-2301

reference_url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/17/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/19/11

reference_url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/20/1

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/13

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/14

reference_url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2011/08/22/5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-2931

reference_id

CVE-2011-2931

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-2931

reference_url

https://github.com/advisories/GHSA-v5jg-558j-q67c

reference_id

GHSA-v5jg-558j-q67c

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-v5jg-558j-q67c

reference_url	https://security.gentoo.org/glsa/201412-28
reference_id	GLSA-201412-28
reference_type
scores
url	https://security.gentoo.org/glsa/201412-28

fixed_packages

aliases

CVE-2011-2931, GHSA-v5jg-558j-q67c

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-knsd-pv15-tydx

url VCID-mnkw-23eu-bkgc

vulnerability_id VCID-mnkw-23eu-bkgc

summary

Ability to forge per-form CSRF tokens in Rails
It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8166

reference_id

reference_type

scores

value	0.00443
scoring_system	epss
scoring_elements	0.63345
published_at	2026-04-16T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63311
published_at	2026-04-13T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63348
published_at	2026-04-12T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63364
published_at	2026-04-11T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63347
published_at	2026-04-09T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63329
published_at	2026-04-08T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63278
published_at	2026-04-07T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63312
published_at	2026-04-04T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63284
published_at	2026-04-02T12:55:00Z

value	0.00443
scoring_system	epss
scoring_elements	0.63225
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml

reference_url

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

reference_url	https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
reference_id
reference_type
scores
url	https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

reference_url

https://hackerone.com/reports/732415

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/732415

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8166

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8166

reference_url	https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
url	https://www.debian.org/security/2020/dsa-4766

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1843152
reference_id	1843152
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1843152

reference_url

https://github.com/advisories/GHSA-jp5v-5gx4-jmj9

reference_id

GHSA-jp5v-5gx4-jmj9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jp5v-5gx4-jmj9

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/actionpack@5.2.4.3

purl pkg:gem/actionpack@5.2.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1xgz-hwng-n3eq

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-gjey-bqtd-kqa1

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-jwun-grgg-2uet

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

vulnerability	VCID-wg3a-j2dp-ayh4

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.3

url pkg:gem/actionpack@6.0.3.1

purl pkg:gem/actionpack@6.0.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-12x8-jxdf-jqdz

vulnerability	VCID-1bxs-yghe-cyck

vulnerability	VCID-1x8k-t8mr-3fgp

vulnerability	VCID-1xgz-hwng-n3eq

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-gjey-bqtd-kqa1

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-jwun-grgg-2uet

vulnerability	VCID-msda-xqbp-qfdd

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

vulnerability	VCID-wg3a-j2dp-ayh4

vulnerability	VCID-wyy6-h8bq-vyde

vulnerability	VCID-zy7d-3db6-sydw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1

aliases CVE-2020-8166, GHSA-jp5v-5gx4-jmj9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mnkw-23eu-bkgc

url VCID-msda-xqbp-qfdd

vulnerability_id VCID-msda-xqbp-qfdd

summary

Possible Open Redirect Vulnerability in Action Pack
There is a possible Open Redirect Vulnerability in Action Pack.

Versions Affected:  >= v6.1.0.rc2
Not affected:       < v6.1.0.rc2
Fixed Versions:     6.1.3.2

Impact
------
This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious
website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch put in an initializer can be used as a workaround.

```ruby
class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 6-1-open-redirect.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22903

reference_id

reference_type

scores

value	0.00151
scoring_system	epss
scoring_elements	0.35808
published_at	2026-04-16T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35768
published_at	2026-04-13T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35791
published_at	2026-04-12T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.3592
published_at	2026-04-04T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35831
published_at	2026-04-11T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35823
published_at	2026-04-09T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35801
published_at	2026-04-08T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35693
published_at	2026-04-01T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.35751
published_at	2026-04-07T12:55:00Z

value	0.00151
scoring_system	epss
scoring_elements	0.3589
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22903

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0

reference_url

https://hackerone.com/reports/1148025

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1148025

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22903

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22903

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1957438
reference_id	1957438
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1957438

reference_url

https://security.archlinux.org/AVG-1919

reference_id

AVG-1919

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1919

reference_url

https://github.com/advisories/GHSA-5hq2-xf89-9jxq

reference_id

GHSA-5hq2-xf89-9jxq

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5hq2-xf89-9jxq

fixed_packages

url pkg:gem/actionpack@6.1.3.2

purl pkg:gem/actionpack@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1bxs-yghe-cyck

vulnerability	VCID-1x8k-t8mr-3fgp

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ce39-j83r-6ug9

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-jwun-grgg-2uet

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-p5mc-r1rg-5ff7

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2

aliases CVE-2021-22903, GHSA-5hq2-xf89-9jxq

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msda-xqbp-qfdd

url VCID-p5mc-r1rg-5ff7

vulnerability_id VCID-p5mc-r1rg-5ff7

summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in actionview.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_id

reference_type

scores

value	0.00911
scoring_system	epss
scoring_elements	0.7586
published_at	2026-04-16T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75823
published_at	2026-04-13T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75829
published_at	2026-04-12T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75848
published_at	2026-04-11T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75824
published_at	2026-04-09T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75812
published_at	2026-04-08T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.7578
published_at	2026-04-07T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75801
published_at	2026-04-04T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.75768
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85

reference_url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id	1016982
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id	2080296
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2080296

reference_url

reference_id

CVE-2022-27777

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-27777

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_id

CVE-2022-27777.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml

reference_url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_id

GHSA-ch3h-j2vf-95pv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/actionpack@5.2.7.1

purl pkg:gem/actionpack@5.2.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.7.1

url pkg:gem/actionpack@6.0.4.8

purl pkg:gem/actionpack@6.0.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.4.8

url pkg:gem/actionpack@6.1.5.1

purl pkg:gem/actionpack@6.1.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.5.1

url pkg:gem/actionpack@7.0.2.4

purl pkg:gem/actionpack@7.0.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bh7-drnb-7ygg

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-6tty-dbwx-rbgx

vulnerability	VCID-dd9p-x7k3-37ea

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.2.4

aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p5mc-r1rg-5ff7

url

VCID-phxs-zet8-ryh3

vulnerability_id

VCID-phxs-zet8-ryh3

summary

SQL Injection
Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary `IS NULL` clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for `NULL` in arbitrary places.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html

reference_url

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://api.first.org/data/v1/epss?cve=CVE-2012-2660

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2660.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2660.json

reference_url

reference_id

reference_type

scores

value	0.00294
scoring_system	epss
scoring_elements	0.52801
published_at	2026-04-16T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52708
published_at	2026-04-02T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52734
published_at	2026-04-04T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.527
published_at	2026-04-07T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52751
published_at	2026-04-08T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52745
published_at	2026-04-09T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52796
published_at	2026-04-11T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.5278
published_at	2026-04-12T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52763
published_at	2026-04-13T12:55:00Z

value	0.00294
scoring_system	epss
scoring_elements	0.52663
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2012-2660

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/61eed87ce32caf534bf1f52dd8134097b4ad9e1b

reference_url	https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3
reference_id
reference_type
scores
url	https://github.com/rails/rails/commit/dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d#diff-3179d24efacadd64068c4d9c1184eac3

reference_url	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml
reference_id
reference_type
scores
url	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82610.yml

reference_url	https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!original/rubyonrails-security/8SA-M3as7A8/Mr9fi9X4kNgJ

reference_url

https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/group/rubyonrails-security/msg/d890f8d58b5fbf32?dmode=source&output=gplain

reference_url

https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=827353
reference_id	827353
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=827353

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2012-2660

reference_id

CVE-2012-2660

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2012-2660

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml

reference_id

CVE-2012-2660.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2660.yml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml

reference_id

CVE-2012-2660.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2012-2660.yml

reference_url

https://github.com/advisories/GHSA-hgpp-pp89-4fgf

reference_id

GHSA-hgpp-pp89-4fgf

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hgpp-pp89-4fgf

reference_url	https://access.redhat.com/errata/RHSA-2012:1542
reference_id	RHSA-2012:1542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2012:1542

reference_url	https://access.redhat.com/errata/RHSA-2013:0154
reference_id	RHSA-2013:0154
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0154

fixed_packages

aliases

CVE-2012-2660, GHSA-hgpp-pp89-4fgf, OSV-82610

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-phxs-zet8-ryh3

url

VCID-rps2-k24p-9qgq

vulnerability_id

VCID-rps2-k24p-9qgq

summary

Translate helper method which may allow an attacker to insert arbitrary code into a page
The helper method for i18n translations has a convention whereby translations strings with a name ending in 'html' are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these 'html' strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped.

references

reference_url

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1

reference_url

http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain

reference_url

http://openwall.com/lists/oss-security/2011/11/18/8

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2011/11/18/8

reference_url	http://osvdb.org/77199
reference_id
reference_type
scores
url	http://osvdb.org/77199

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-4319

reference_id

reference_type

scores

value	0.00607
scoring_system	epss
scoring_elements	0.6969
published_at	2026-04-12T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69705
published_at	2026-04-11T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69684
published_at	2026-04-09T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69666
published_at	2026-04-08T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69615
published_at	2026-04-07T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69607
published_at	2026-04-01T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69718
published_at	2026-04-16T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69677
published_at	2026-04-13T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69636
published_at	2026-04-04T12:55:00Z

value	0.00607
scoring_system	epss
scoring_elements	0.69621
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-4319

reference_url

https://exchange.xforce.ibmcloud.com/vulnerabilities/71364

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://exchange.xforce.ibmcloud.com/vulnerabilities/71364

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c

reference_url

https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade

reference_url	https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1
reference_id
reference_type
scores
url	https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml

reference_url	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml
reference_id
reference_type
scores
url	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU

reference_url

https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722

reference_url

https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342

reference_url

http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released

reference_url

http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released

reference_url	http://www.securityfocus.com/bid/50722
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/50722

reference_url	http://www.securitytracker.com/id?1026342
reference_id
reference_type
scores
url	http://www.securitytracker.com/id?1026342

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=755004
reference_id	755004
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=755004

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-4319

reference_id

CVE-2011-4319

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-4319

reference_url

https://github.com/advisories/GHSA-xxr8-833v-c7wc

reference_id

GHSA-xxr8-833v-c7wc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xxr8-833v-c7wc

fixed_packages

aliases

CVE-2011-4319, GHSA-xxr8-833v-c7wc, OSV-77199

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-rps2-k24p-9qgq

url VCID-sfyc-jewr-wuf5

vulnerability_id VCID-sfyc-jewr-wuf5

summary

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact
------

For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_id

reference_type

scores

value	0.00296
scoring_system	epss
scoring_elements	0.5297
published_at	2026-04-16T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52876
published_at	2026-04-02T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52932
published_at	2026-04-13T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52948
published_at	2026-04-12T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52964
published_at	2026-04-11T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52914
published_at	2026-04-09T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.5292
published_at	2026-04-08T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.5287
published_at	2026-04-07T12:55:00Z

value	0.00296
scoring_system	epss
scoring_elements	0.52901
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-47887

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id	2319034
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2319034

reference_url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_id

56b2fc3302836405b496e196a8d5fc0195e55049

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

reference_url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_id

7c1398854d51f9bb193fb79f226647351133d08a

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

reference_url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_id

8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887
reference_id	CVE-2024-47887
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-47887

reference_url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_id

f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/

url

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

reference_url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_id

GHSA-vfg9-r3fq-jvx4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfyc-jewr-wuf5

url VCID-sgdb-985e-4uej

vulnerability_id VCID-sgdb-985e-4uej

summary

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact
------

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json

reference_url

https://access.redhat.com/security/cve/cve-2024-41128

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://access.redhat.com/security/cve/cve-2024-41128

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_id

reference_type

scores

value	0.00605
scoring_system	epss
scoring_elements	0.69624
published_at	2026-04-09T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69608
published_at	2026-04-08T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69557
published_at	2026-04-07T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69562
published_at	2026-04-02T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69578
published_at	2026-04-04T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69657
published_at	2026-04-16T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69618
published_at	2026-04-13T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69632
published_at	2026-04-12T12:55:00Z

value	0.00605
scoring_system	epss
scoring_elements	0.69647
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-41128

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2319036

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

reference_url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

reference_url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

reference_url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

reference_url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/

url

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-41128

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id	1085376
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376

reference_url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_id

GHSA-x76w-6vjr-8xgj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x76w-6vjr-8xgj

reference_url	https://usn.ubuntu.com/7290-1/
reference_id	USN-7290-1
reference_type
scores
url	https://usn.ubuntu.com/7290-1/

fixed_packages

url pkg:gem/actionpack@6.1.7.9

purl pkg:gem/actionpack@6.1.7.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.7.9

url pkg:gem/actionpack@7.0.0.alpha1

purl pkg:gem/actionpack@7.0.0.alpha1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-63gy-6njy-kbd8

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-hppf-a715-r7b2

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.0.alpha1

url pkg:gem/actionpack@7.0.8.5

purl pkg:gem/actionpack@7.0.8.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.5

url pkg:gem/actionpack@7.1.0.beta1

purl pkg:gem/actionpack@7.1.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ehbj-aezy-d7h4

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1

url pkg:gem/actionpack@7.1.4.1

purl pkg:gem/actionpack@7.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.4.1

url pkg:gem/actionpack@7.2.0.beta1

purl pkg:gem/actionpack@7.2.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-p22r-u1dd-b7b3

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1

url pkg:gem/actionpack@7.2.1.1

purl pkg:gem/actionpack@7.2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.1.1

url pkg:gem/actionpack@8.0.0.beta1

purl pkg:gem/actionpack@8.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-g3rk-djae-pkeh

vulnerability	VCID-sfyc-jewr-wuf5

vulnerability	VCID-sgdb-985e-4uej

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1

aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sgdb-985e-4uej

url

VCID-tt6r-bytq-4fa4

vulnerability_id

VCID-tt6r-bytq-4fa4

summary

actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html

reference_url

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://api.first.org/data/v1/epss?cve=CVE-2012-2694

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2694.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2694.json

reference_url

reference_id

reference_type

scores

value	0.0022
scoring_system	epss
scoring_elements	0.44682
published_at	2026-04-08T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44693
published_at	2026-04-04T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44728
published_at	2026-04-16T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44671
published_at	2026-04-13T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.4467
published_at	2026-04-12T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44701
published_at	2026-04-11T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44684
published_at	2026-04-09T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44631
published_at	2026-04-07T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44593
published_at	2026-04-01T12:55:00Z

value	0.0022
scoring_system	epss
scoring_elements	0.44673
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2012-2694

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2f3bc0467311781ac1ceb2c8c2b09002c8fe143a

reference_url

https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/c202638225519b5e1a03ebe523b109c948fb0e52

reference_url

https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain

reference_url

https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=831581
reference_id	831581
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=831581

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2012-2694

reference_id

CVE-2012-2694

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2012-2694

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml

reference_id

CVE-2012-2694.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-2694.yml

reference_url

https://github.com/advisories/GHSA-q34c-48gc-m9g8

reference_id

GHSA-q34c-48gc-m9g8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q34c-48gc-m9g8

reference_url	https://access.redhat.com/errata/RHSA-2012:1542
reference_id	RHSA-2012:1542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2012:1542

reference_url	https://access.redhat.com/errata/RHSA-2013:0154
reference_id	RHSA-2013:0154
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0154

fixed_packages

aliases

CVE-2012-2694, GHSA-q34c-48gc-m9g8

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-tt6r-bytq-4fa4

url

VCID-vgm2-8wjy-x7ed

vulnerability_id

VCID-vgm2-8wjy-x7ed

summary

Improper Input Validation
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

references

reference_url

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en

reference_url

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

reference_url

http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup

reference_url	http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
reference_id
reference_type
scores
url	http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2008-7248

reference_id

reference_type

scores

value	0.11409
scoring_system	epss
scoring_elements	0.9359
published_at	2026-04-16T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93535
published_at	2026-04-01T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93544
published_at	2026-04-02T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93552
published_at	2026-04-04T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93553
published_at	2026-04-07T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93561
published_at	2026-04-08T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93564
published_at	2026-04-09T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.9357
published_at	2026-04-12T12:55:00Z

value	0.11409
scoring_system	epss
scoring_elements	0.93571
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2008-7248

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=544329

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=544329

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248

reference_url	http://secunia.com/advisories/36600
reference_id
reference_type
scores
url	http://secunia.com/advisories/36600

reference_url	http://secunia.com/advisories/38915
reference_id
reference_type
scores
url	http://secunia.com/advisories/38915

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a

reference_url

https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en

reference_url

https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html

reference_url

https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup

reference_url	https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
reference_id
reference_type
scores
url	https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/

reference_url

https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544

reference_url

https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1

reference_url

https://www.openwall.com/lists/oss-security/2009/11/28/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.openwall.com/lists/oss-security/2009/11/28/1

reference_url

https://www.openwall.com/lists/oss-security/2009/12/02/2

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.openwall.com/lists/oss-security/2009/12/02/2

reference_url

https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html

reference_url

http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1

reference_url

http://www.openwall.com/lists/oss-security/2009/11/28/1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2009/11/28/1

reference_url

http://www.openwall.com/lists/oss-security/2009/12/02/2

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2009/12/02/2

reference_url	http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
reference_id
reference_type
scores
url	http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html

reference_url	http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
url	http://www.vupen.com/english/advisories/2009/2544

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
reference_id	558685
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685

reference_url

https://access.redhat.com/security/cve/CVE-2008-7248

reference_id

CVE-2008-7248

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2008-7248

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2008-7248

reference_id

CVE-2008-7248

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2008-7248

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt
reference_id	CVE-2008-7248;OSVDB-61124
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt

reference_url	https://www.securityfocus.com/bid/37322/info
reference_id	CVE-2008-7248;OSVDB-61124
reference_type	exploit
scores
url	https://www.securityfocus.com/bid/37322/info

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml

reference_id

CVE-2008-7248.YML

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml

reference_url

https://github.com/advisories/GHSA-8fqx-7pv4-3jwm

reference_id

GHSA-8fqx-7pv4-3jwm

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8fqx-7pv4-3jwm

reference_url	https://security.gentoo.org/glsa/200912-02
reference_id	GLSA-200912-02
reference_type
scores
url	https://security.gentoo.org/glsa/200912-02

fixed_packages

aliases

CVE-2008-7248, GHSA-8fqx-7pv4-3jwm

risk_score

10.0

exploitability

2.0

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-vgm2-8wjy-x7ed

url VCID-wg3a-j2dp-ayh4

vulnerability_id VCID-wg3a-j2dp-ayh4

summary

Possible DoS Vulnerability in Action Controller Token Authentication
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.

Versions Affected:  >= 4.0.0
Not affected:       < 4.0.0
Fixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact
------
Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:

```
class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around the issue:

```ruby
module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-http-authentication-dos.patch - Patch for 5.2 series
* 6-0-http-authentication-dos.patch - Patch for 6.0 series
* 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_id

reference_type

scores

value	0.07856
scoring_system	epss
scoring_elements	0.92022
published_at	2026-04-16T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.92007
published_at	2026-04-12T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.92004
published_at	2026-04-13T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.92
published_at	2026-04-08T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.91987
published_at	2026-04-07T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.91981
published_at	2026-04-04T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.91966
published_at	2026-04-01T12:55:00Z

value	0.07856
scoring_system	epss
scoring_elements	0.91974
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url