Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rails@4.0.0.beta1
Typegem
Namespace
Namerails
Version4.0.0.beta1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.1.7.7
Latest_non_vulnerable_version7.1.3.1
Affected_by_vulnerabilities
0
url VCID-2mcx-b9k2-83bh
vulnerability_id VCID-2mcx-b9k2-83bh
summary 
Ruby on Rails vulnerable to code injection
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
references
0
reference_url http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2006-4111
reference_id
reference_type
scores
0
value 0.03984
scoring_system epss
scoring_elements 0.8842
published_at 2026-04-16T12:55:00Z
1
value 0.03984
scoring_system epss
scoring_elements 0.88406
published_at 2026-04-13T12:55:00Z
2
value 0.03984
scoring_system epss
scoring_elements 0.88414
published_at 2026-04-11T12:55:00Z
3
value 0.03984
scoring_system epss
scoring_elements 0.88403
published_at 2026-04-09T12:55:00Z
4
value 0.03984
scoring_system epss
scoring_elements 0.88397
published_at 2026-04-08T12:55:00Z
5
value 0.03984
scoring_system epss
scoring_elements 0.88378
published_at 2026-04-07T12:55:00Z
6
value 0.03984
scoring_system epss
scoring_elements 0.88373
published_at 2026-04-04T12:55:00Z
7
value 0.03984
scoring_system epss
scoring_elements 0.8835
published_at 2026-04-01T12:55:00Z
8
value 0.03984
scoring_system epss
scoring_elements 0.88359
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2006-4111
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111
3
reference_url https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
6
reference_url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
7
reference_url http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
8
reference_url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
9
reference_url http://www.novell.com/linux/security/advisories/2006_21_sr.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2006_21_sr.html
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
reference_id 382255
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2006-4111
reference_id CVE-2006-4111
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2006-4111
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
reference_id CVE-2006-4111.YML
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
13
reference_url https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
reference_id GHSA-rvpq-5xqx-pfpp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
14
reference_url https://security.gentoo.org/glsa/200608-20
reference_id GLSA-200608-20
reference_type
scores
url https://security.gentoo.org/glsa/200608-20
fixed_packages
aliases CVE-2006-4111, GHSA-rvpq-5xqx-pfpp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2mcx-b9k2-83bh
1
url VCID-3wtf-uu89-2qe5
vulnerability_id VCID-3wtf-uu89-2qe5
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
1
reference_url http://openwall.com/lists/oss-security/2014/02/18/8
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/02/18/8
2
reference_url http://rhn.redhat.com/errata/RHSA-2014-0215.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0215.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2014-0306.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0306.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-0081
reference_id
reference_type
scores
0
value 0.00885
scoring_system epss
scoring_elements 0.75477
published_at 2026-04-16T12:55:00Z
1
value 0.00885
scoring_system epss
scoring_elements 0.75378
published_at 2026-04-01T12:55:00Z
2
value 0.00885
scoring_system epss
scoring_elements 0.75382
published_at 2026-04-02T12:55:00Z
3
value 0.00885
scoring_system epss
scoring_elements 0.75415
published_at 2026-04-04T12:55:00Z
4
value 0.00885
scoring_system epss
scoring_elements 0.75394
published_at 2026-04-07T12:55:00Z
5
value 0.00885
scoring_system epss
scoring_elements 0.75438
published_at 2026-04-08T12:55:00Z
6
value 0.00885
scoring_system epss
scoring_elements 0.75447
published_at 2026-04-09T12:55:00Z
7
value 0.00885
scoring_system epss
scoring_elements 0.75467
published_at 2026-04-11T12:55:00Z
8
value 0.00885
scoring_system epss
scoring_elements 0.75446
published_at 2026-04-12T12:55:00Z
9
value 0.00885
scoring_system epss
scoring_elements 0.75435
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-0081
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
13
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
14
reference_url https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
15
reference_url https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
16
reference_url https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1065520
reference_id 1065520
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1065520
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-0081
reference_id CVE-2014-0081
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-0081
19
reference_url https://github.com/advisories/GHSA-m46p-ggm5-5j83
reference_id GHSA-m46p-ggm5-5j83
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m46p-ggm5-5j83
20
reference_url https://access.redhat.com/errata/RHSA-2014:0215
reference_id RHSA-2014:0215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0215
21
reference_url https://access.redhat.com/errata/RHSA-2014:0306
reference_id RHSA-2014:0306
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0306
fixed_packages
0
url pkg:gem/rails@4.0.3
purl pkg:gem/rails@4.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-35rt-t6e1-pfa6
2
vulnerability VCID-3wtf-uu89-2qe5
3
vulnerability VCID-63gy-6njy-kbd8
4
vulnerability VCID-877d-u9ag-qqdr
5
vulnerability VCID-895a-ydc5-zfg6
6
vulnerability VCID-8dad-dvat-1fg4
7
vulnerability VCID-a6sp-18av-wya6
8
vulnerability VCID-c8b5-d83n-nuhw
9
vulnerability VCID-es1t-7196-4kbb
10
vulnerability VCID-g5q6-7uav-sqh1
11
vulnerability VCID-gsx2-9sc2-3fbr
12
vulnerability VCID-hppf-a715-r7b2
13
vulnerability VCID-mnkw-23eu-bkgc
14
vulnerability VCID-pb5f-g4uc-r7fp
15
vulnerability VCID-s5ah-tf63-a7cw
16
vulnerability VCID-t684-yp58-hkg8
17
vulnerability VCID-v3r3-bwp5-a3bn
18
vulnerability VCID-wg3a-j2dp-ayh4
19
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.3
1
url pkg:gem/rails@4.1.0.beta2
purl pkg:gem/rails@4.1.0.beta2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-3wtf-uu89-2qe5
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-877d-u9ag-qqdr
4
vulnerability VCID-895a-ydc5-zfg6
5
vulnerability VCID-8dad-dvat-1fg4
6
vulnerability VCID-a6sp-18av-wya6
7
vulnerability VCID-c8b5-d83n-nuhw
8
vulnerability VCID-es1t-7196-4kbb
9
vulnerability VCID-g5q6-7uav-sqh1
10
vulnerability VCID-gsx2-9sc2-3fbr
11
vulnerability VCID-hppf-a715-r7b2
12
vulnerability VCID-mnkw-23eu-bkgc
13
vulnerability VCID-pb5f-g4uc-r7fp
14
vulnerability VCID-s5ah-tf63-a7cw
15
vulnerability VCID-t684-yp58-hkg8
16
vulnerability VCID-v3r3-bwp5-a3bn
17
vulnerability VCID-wg3a-j2dp-ayh4
18
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0.beta2
2
url pkg:gem/rails@4.1.0
purl pkg:gem/rails@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-35rt-t6e1-pfa6
2
vulnerability VCID-3wtf-uu89-2qe5
3
vulnerability VCID-63gy-6njy-kbd8
4
vulnerability VCID-877d-u9ag-qqdr
5
vulnerability VCID-895a-ydc5-zfg6
6
vulnerability VCID-8dad-dvat-1fg4
7
vulnerability VCID-a6sp-18av-wya6
8
vulnerability VCID-c8b5-d83n-nuhw
9
vulnerability VCID-es1t-7196-4kbb
10
vulnerability VCID-g5q6-7uav-sqh1
11
vulnerability VCID-gsx2-9sc2-3fbr
12
vulnerability VCID-hppf-a715-r7b2
13
vulnerability VCID-mnkw-23eu-bkgc
14
vulnerability VCID-pb5f-g4uc-r7fp
15
vulnerability VCID-s5ah-tf63-a7cw
16
vulnerability VCID-t684-yp58-hkg8
17
vulnerability VCID-v3r3-bwp5-a3bn
18
vulnerability VCID-wg3a-j2dp-ayh4
19
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0
aliases CVE-2014-0081, GHSA-m46p-ggm5-5j83, OSV-103439
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3wtf-uu89-2qe5
2
url VCID-63gy-6njy-kbd8
vulnerability_id VCID-63gy-6njy-kbd8
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
reference_id
reference_type
scores
0
value 0.02639
scoring_system epss
scoring_elements 0.85729
published_at 2026-04-16T12:55:00Z
1
value 0.02639
scoring_system epss
scoring_elements 0.85707
published_at 2026-04-13T12:55:00Z
2
value 0.02639
scoring_system epss
scoring_elements 0.85711
published_at 2026-04-12T12:55:00Z
3
value 0.02639
scoring_system epss
scoring_elements 0.85715
published_at 2026-04-11T12:55:00Z
4
value 0.02639
scoring_system epss
scoring_elements 0.85701
published_at 2026-04-09T12:55:00Z
5
value 0.02639
scoring_system epss
scoring_elements 0.85689
published_at 2026-04-08T12:55:00Z
6
value 0.02639
scoring_system epss
scoring_elements 0.85646
published_at 2026-04-02T12:55:00Z
7
value 0.02639
scoring_system epss
scoring_elements 0.8567
published_at 2026-04-07T12:55:00Z
8
value 0.02639
scoring_system epss
scoring_elements 0.85663
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
17
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0007
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0007
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id 2164800
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
reference_id CVE-2023-22792
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
23
reference_url https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id GHSA-p84v-45xj-wwqj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p84v-45xj-wwqj
24
reference_url https://security.netapp.com/advisory/ntap-20240202-0007/
reference_id ntap-20240202-0007
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://security.netapp.com/advisory/ntap-20240202-0007/
25
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/rails@6.0.6.1
purl pkg:gem/rails@6.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-65tq-e5eb-eucj
1
vulnerability VCID-hppf-a715-r7b2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.6.1
1
url pkg:gem/rails@6.1.7.1
purl pkg:gem/rails@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-65tq-e5eb-eucj
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1
2
url pkg:gem/rails@7.0.4.1
purl pkg:gem/rails@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-65tq-e5eb-eucj
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1
aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8
3
url VCID-877d-u9ag-qqdr
vulnerability_id VCID-877d-u9ag-qqdr
summary 
Rails Denial of Service vulnerability
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2006-4112
reference_id
reference_type
scores
0
value 0.07371
scoring_system epss
scoring_elements 0.9169
published_at 2026-04-02T12:55:00Z
1
value 0.07371
scoring_system epss
scoring_elements 0.91744
published_at 2026-04-16T12:55:00Z
2
value 0.07371
scoring_system epss
scoring_elements 0.91724
published_at 2026-04-13T12:55:00Z
3
value 0.07371
scoring_system epss
scoring_elements 0.91728
published_at 2026-04-12T12:55:00Z
4
value 0.07371
scoring_system epss
scoring_elements 0.91726
published_at 2026-04-11T12:55:00Z
5
value 0.07371
scoring_system epss
scoring_elements 0.91723
published_at 2026-04-09T12:55:00Z
6
value 0.07371
scoring_system epss
scoring_elements 0.91681
published_at 2026-04-01T12:55:00Z
7
value 0.07371
scoring_system epss
scoring_elements 0.91716
published_at 2026-04-08T12:55:00Z
8
value 0.07371
scoring_system epss
scoring_elements 0.91703
published_at 2026-04-07T12:55:00Z
9
value 0.07371
scoring_system epss
scoring_elements 0.91695
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2006-4112
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112
2
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
5
reference_url https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
6
reference_url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
7
reference_url http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
8
reference_url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
9
reference_url http://www.kb.cert.org/vuls/id/699540
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.kb.cert.org/vuls/id/699540
10
reference_url http://www.novell.com/linux/security/advisories/2006_21_sr.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2006_21_sr.html
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
reference_id 382255
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2006-4112
reference_id CVE-2006-4112
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2006-4112
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
reference_id CVE-2006-4112.YML
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
14
reference_url https://github.com/advisories/GHSA-9wrq-xvmp-xjc8
reference_id GHSA-9wrq-xvmp-xjc8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9wrq-xvmp-xjc8
15
reference_url https://security.gentoo.org/glsa/200608-20
reference_id GLSA-200608-20
reference_type
scores
url https://security.gentoo.org/glsa/200608-20
fixed_packages
aliases CVE-2006-4112, GHSA-9wrq-xvmp-xjc8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-877d-u9ag-qqdr
4
url VCID-895a-ydc5-zfg6
vulnerability_id VCID-895a-ydc5-zfg6
summary 
Circumvention of file size limits in ActiveStorage
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.

Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
reference_id
reference_type
scores
0
value 0.01549
scoring_system epss
scoring_elements 0.81448
published_at 2026-04-16T12:55:00Z
1
value 0.01549
scoring_system epss
scoring_elements 0.81411
published_at 2026-04-13T12:55:00Z
2
value 0.01549
scoring_system epss
scoring_elements 0.81376
published_at 2026-04-07T12:55:00Z
3
value 0.01549
scoring_system epss
scoring_elements 0.81418
published_at 2026-04-12T12:55:00Z
4
value 0.01549
scoring_system epss
scoring_elements 0.81431
published_at 2026-04-11T12:55:00Z
5
value 0.01549
scoring_system epss
scoring_elements 0.81409
published_at 2026-04-09T12:55:00Z
6
value 0.01549
scoring_system epss
scoring_elements 0.81405
published_at 2026-04-08T12:55:00Z
7
value 0.01549
scoring_system epss
scoring_elements 0.81347
published_at 2026-04-01T12:55:00Z
8
value 0.01549
scoring_system epss
scoring_elements 0.81356
published_at 2026-04-02T12:55:00Z
9
value 0.01549
scoring_system epss
scoring_elements 0.81378
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://github.com/aws/aws-sdk-ruby
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby
9
reference_url https://github.com/aws/aws-sdk-ruby/issues/2098
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby/issues/2098
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
12
reference_url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
13
reference_url https://hackerone.com/reports/789579
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/789579
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
reference_id 1843005
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
17
reference_url https://github.com/advisories/GHSA-m42x-37p3-fv5w
reference_id GHSA-m42x-37p3-fv5w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m42x-37p3-fv5w
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/rails@5.2.4.2
purl pkg:gem/rails@5.2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-gjey-bqtd-kqa1
6
vulnerability VCID-hppf-a715-r7b2
7
vulnerability VCID-jwun-grgg-2uet
8
vulnerability VCID-mnkw-23eu-bkgc
9
vulnerability VCID-t684-yp58-hkg8
10
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.2
1
url pkg:gem/rails@6.0.3.1
purl pkg:gem/rails@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-1bxs-yghe-cyck
2
vulnerability VCID-1xgz-hwng-n3eq
3
vulnerability VCID-5qu2-b8gt-7qe3
4
vulnerability VCID-63gy-6njy-kbd8
5
vulnerability VCID-65tq-e5eb-eucj
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-wg3a-j2dp-ayh4
10
vulnerability VCID-wyy6-h8bq-vyde
11
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1
aliases CVE-2020-8162, GHSA-m42x-37p3-fv5w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-895a-ydc5-zfg6
5
url VCID-8dad-dvat-1fg4
vulnerability_id VCID-8dad-dvat-1fg4
summary 
Path Traversal in Action View
# File Content Disclosure in Action View

Impact 
------ 
There is a possible file content disclosure vulnerability in Action View.  Specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the  file contents. 

The impact is limited to calls to `render` which render file contents without  a specified accept format.  Impacted code in a controller looks something like this: 

``` ruby
class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
  end 
end 
``` 

Rendering templates as opposed to files is not impacted by this vulnerability. 

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. 

Workarounds 
----------- 
This vulnerability can be mitigated by specifying a format for file rendering, like this: 

``` ruby
class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file", formats: [:html] 
  end 
end 
``` 

In summary, impacted calls to `render` look like this: 

``` 
render file: "#{Rails.root}/some/file" 
``` 

The vulnerability can be mitigated by changing to this: 

``` 
render file: "#{Rails.root}/some/file", formats: [:html] 
``` 

Other calls to `render` are not impacted. 

Alternatively, the following monkey patch can be applied in an initializer: 

``` ruby
$ cat config/initializers/formats_filter.rb 
# frozen_string_literal: true 

ActionDispatch::Request.prepend(Module.new do 
  def formats 
    super().select do |format| 
      format.symbol || format.ref == "*/*" 
    end 
  end 
end) 
``` 

Credits 
------- 
Thanks to John Hawthorn <john@hawthorn.email> of GitHub
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
1
reference_url http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
2
reference_url https://access.redhat.com/errata/RHSA-2019:0796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:0796
3
reference_url https://access.redhat.com/errata/RHSA-2019:1147
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1147
4
reference_url https://access.redhat.com/errata/RHSA-2019:1149
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1149
5
reference_url https://access.redhat.com/errata/RHSA-2019:1289
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1289
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5418
reference_id
reference_type
scores
0
value 0.94318
scoring_system epss
scoring_elements 0.9995
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5418
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418
9
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
10
reference_url https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
13
reference_url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
17
reference_url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
18
reference_url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
19
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
20
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
21
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
22
reference_url https://www.exploit-db.com/exploits/46585
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/46585
23
reference_url https://www.exploit-db.com/exploits/46585/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://www.exploit-db.com/exploits/46585/
24
reference_url http://www.openwall.com/lists/oss-security/2019/03/22/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://www.openwall.com/lists/oss-security/2019/03/22/1
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689159
reference_id 1689159
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689159
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
reference_id 924520
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
27
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
28
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
29
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
30
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
31
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
32
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
reference_id cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
33
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
34
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py
reference_id CVE-2019-5418
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py
35
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5418
reference_id CVE-2019-5418
reference_type
scores
0
value 5.0
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:P/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5418
36
reference_url https://github.com/advisories/GHSA-86g5-2wh3-gc9j
reference_id GHSA-86g5-2wh3-gc9j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-86g5-2wh3-gc9j
37
reference_url https://usn.ubuntu.com/7646-1/
reference_id USN-7646-1
reference_type
scores
url https://usn.ubuntu.com/7646-1/
fixed_packages
0
url pkg:gem/rails@4.2.11.1
purl pkg:gem/rails@4.2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-g5q6-7uav-sqh1
6
vulnerability VCID-hppf-a715-r7b2
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1
1
url pkg:gem/rails@5.0.7.2
purl pkg:gem/rails@5.0.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2
2
url pkg:gem/rails@5.1.6.2
purl pkg:gem/rails@5.1.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2
3
url pkg:gem/rails@5.2.2.1
purl pkg:gem/rails@5.2.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-895a-ydc5-zfg6
4
vulnerability VCID-a6sp-18av-wya6
5
vulnerability VCID-es1t-7196-4kbb
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-mnkw-23eu-bkgc
10
vulnerability VCID-t684-yp58-hkg8
11
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1
aliases CVE-2019-5418, GHSA-86g5-2wh3-gc9j
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8dad-dvat-1fg4
6
url VCID-a6sp-18av-wya6
vulnerability_id VCID-a6sp-18av-wya6
summary 
Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 5.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
reference_id
reference_type
scores
0
value 0.07389
scoring_system epss
scoring_elements 0.91752
published_at 2026-04-16T12:55:00Z
1
value 0.07389
scoring_system epss
scoring_elements 0.9169
published_at 2026-04-01T12:55:00Z
2
value 0.07389
scoring_system epss
scoring_elements 0.91698
published_at 2026-04-02T12:55:00Z
3
value 0.07389
scoring_system epss
scoring_elements 0.91703
published_at 2026-04-04T12:55:00Z
4
value 0.07389
scoring_system epss
scoring_elements 0.91712
published_at 2026-04-07T12:55:00Z
5
value 0.07389
scoring_system epss
scoring_elements 0.91724
published_at 2026-04-08T12:55:00Z
6
value 0.07389
scoring_system epss
scoring_elements 0.91731
published_at 2026-04-09T12:55:00Z
7
value 0.07389
scoring_system epss
scoring_elements 0.91734
published_at 2026-04-11T12:55:00Z
8
value 0.07389
scoring_system epss
scoring_elements 0.91736
published_at 2026-04-12T12:55:00Z
9
value 0.07389
scoring_system epss
scoring_elements 0.91732
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
11
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
14
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
15
reference_url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
16
reference_url https://hackerone.com/reports/292797
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/292797
17
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
18
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
reference_id 1842634
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
22
reference_url https://github.com/advisories/GHSA-8727-m6gj-mc37
reference_id GHSA-8727-m6gj-mc37
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8727-m6gj-mc37
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/rails@5.2.4.3
purl pkg:gem/rails@5.2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-gjey-bqtd-kqa1
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3
1
url pkg:gem/rails@6.0.3.1
purl pkg:gem/rails@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-1bxs-yghe-cyck
2
vulnerability VCID-1xgz-hwng-n3eq
3
vulnerability VCID-5qu2-b8gt-7qe3
4
vulnerability VCID-63gy-6njy-kbd8
5
vulnerability VCID-65tq-e5eb-eucj
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-wg3a-j2dp-ayh4
10
vulnerability VCID-wyy6-h8bq-vyde
11
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1
aliases CVE-2020-8164, GHSA-8727-m6gj-mc37
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6sp-18av-wya6
7
url VCID-c8b5-d83n-nuhw
vulnerability_id VCID-c8b5-d83n-nuhw
summary 
Allocation of Resources Without Limits or Throttling
There is a possible denial of service vulnerability in Action View (Rails)  where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
3
reference_url https://access.redhat.com/errata/RHSA-2019:0796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:0796
4
reference_url https://access.redhat.com/errata/RHSA-2019:1147
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1147
5
reference_url https://access.redhat.com/errata/RHSA-2019:1149
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1149
6
reference_url https://access.redhat.com/errata/RHSA-2019:1289
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1289
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5419
reference_id
reference_type
scores
0
value 0.12118
scoring_system epss
scoring_elements 0.93825
published_at 2026-04-16T12:55:00Z
1
value 0.12118
scoring_system epss
scoring_elements 0.93764
published_at 2026-04-01T12:55:00Z
2
value 0.12118
scoring_system epss
scoring_elements 0.93773
published_at 2026-04-02T12:55:00Z
3
value 0.12118
scoring_system epss
scoring_elements 0.93783
published_at 2026-04-04T12:55:00Z
4
value 0.12118
scoring_system epss
scoring_elements 0.93787
published_at 2026-04-07T12:55:00Z
5
value 0.12118
scoring_system epss
scoring_elements 0.93795
published_at 2026-04-08T12:55:00Z
6
value 0.12118
scoring_system epss
scoring_elements 0.93798
published_at 2026-04-09T12:55:00Z
7
value 0.12118
scoring_system epss
scoring_elements 0.93803
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5419
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715
13
reference_url https://github.com/rails/rails/pull/35708
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/pull/35708
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml
15
reference_url https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI
reference_id
reference_type
scores
url https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI
16
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
17
reference_url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
21
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
22
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
23
reference_url http://www.openwall.com/lists/oss-security/2019/03/22/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/03/22/1
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689160
reference_id 1689160
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689160
25
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
reference_id 924520
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
26
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
27
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
28
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
reference_id cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
29
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
30
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
31
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
reference_id cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
32
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
33
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
reference_id cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
34
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5419
reference_id CVE-2019-5419
reference_type
scores
0
value 7.8
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:N/C:N/I:N/A:C
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5419
35
reference_url https://github.com/advisories/GHSA-m63j-wh5w-c252
reference_id GHSA-m63j-wh5w-c252
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m63j-wh5w-c252
fixed_packages
0
url pkg:gem/rails@4.2.11.1
purl pkg:gem/rails@4.2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-g5q6-7uav-sqh1
6
vulnerability VCID-hppf-a715-r7b2
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.2.11.1
1
url pkg:gem/rails@5.0.7.2
purl pkg:gem/rails@5.0.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.7.2
2
url pkg:gem/rails@5.1.6.2
purl pkg:gem/rails@5.1.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-895a-ydc5-zfg6
3
vulnerability VCID-a6sp-18av-wya6
4
vulnerability VCID-es1t-7196-4kbb
5
vulnerability VCID-hppf-a715-r7b2
6
vulnerability VCID-jwun-grgg-2uet
7
vulnerability VCID-mnkw-23eu-bkgc
8
vulnerability VCID-t684-yp58-hkg8
9
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.1.6.2
3
url pkg:gem/rails@5.2.2.1
purl pkg:gem/rails@5.2.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-895a-ydc5-zfg6
4
vulnerability VCID-a6sp-18av-wya6
5
vulnerability VCID-es1t-7196-4kbb
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-mnkw-23eu-bkgc
10
vulnerability VCID-t684-yp58-hkg8
11
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.2.1
aliases CVE-2019-5419, GHSA-m63j-wh5w-c252
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8b5-d83n-nuhw
8
url VCID-es1t-7196-4kbb
vulnerability_id VCID-es1t-7196-4kbb
summary 
CSRF Vulnerability in rails-ujs
There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.

Versions Affected:  rails <= 6.0.3
Not affected:       Applications which don't use rails-ujs.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.

Workarounds
-----------

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

    link_to params

to code like this:

    link_to filtered_params

    def filtered_params
      # Filter just the parameters that you trust
    end
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
reference_id
reference_type
scores
0
value 0.00592
scoring_system epss
scoring_elements 0.69281
published_at 2026-04-16T12:55:00Z
1
value 0.00592
scoring_system epss
scoring_elements 0.69242
published_at 2026-04-13T12:55:00Z
2
value 0.00592
scoring_system epss
scoring_elements 0.69271
published_at 2026-04-12T12:55:00Z
3
value 0.00592
scoring_system epss
scoring_elements 0.69285
published_at 2026-04-11T12:55:00Z
4
value 0.00592
scoring_system epss
scoring_elements 0.69177
published_at 2026-04-01T12:55:00Z
5
value 0.00592
scoring_system epss
scoring_elements 0.69245
published_at 2026-04-08T12:55:00Z
6
value 0.00592
scoring_system epss
scoring_elements 0.69195
published_at 2026-04-07T12:55:00Z
7
value 0.00592
scoring_system epss
scoring_elements 0.69213
published_at 2026-04-04T12:55:00Z
8
value 0.00592
scoring_system epss
scoring_elements 0.69192
published_at 2026-04-02T12:55:00Z
9
value 0.00592
scoring_system epss
scoring_elements 0.69263
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
10
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
11
reference_url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
12
reference_url https://hackerone.com/reports/189878
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/189878
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
14
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
reference_id 1843084
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
16
reference_url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
reference_id GHSA-xq5j-gw7f-jgj8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
17
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/rails@5.2.4.3
purl pkg:gem/rails@5.2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-gjey-bqtd-kqa1
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3
1
url pkg:gem/rails@6.0.3.1
purl pkg:gem/rails@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-1bxs-yghe-cyck
2
vulnerability VCID-1xgz-hwng-n3eq
3
vulnerability VCID-5qu2-b8gt-7qe3
4
vulnerability VCID-63gy-6njy-kbd8
5
vulnerability VCID-65tq-e5eb-eucj
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-wg3a-j2dp-ayh4
10
vulnerability VCID-wyy6-h8bq-vyde
11
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1
aliases CVE-2020-8167, GHSA-xq5j-gw7f-jgj8
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-es1t-7196-4kbb
9
url VCID-g5q6-7uav-sqh1
vulnerability_id VCID-g5q6-7uav-sqh1
summary 
Remote code execution via user-provided local names in ActionView
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
references
0
reference_url http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8163
reference_id
reference_type
scores
0
value 0.90927
scoring_system epss
scoring_elements 0.99632
published_at 2026-04-07T12:55:00Z
1
value 0.90927
scoring_system epss
scoring_elements 0.99634
published_at 2026-04-16T12:55:00Z
2
value 0.90927
scoring_system epss
scoring_elements 0.99633
published_at 2026-04-13T12:55:00Z
3
value 0.90927
scoring_system epss
scoring_elements 0.99631
published_at 2026-04-04T12:55:00Z
4
value 0.90927
scoring_system epss
scoring_elements 0.9963
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8163
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
7
reference_url https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
8
reference_url https://hackerone.com/reports/304805
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/304805
9
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8163
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8163
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1848724
reference_id 1848724
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1848724
12
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb
reference_id CVE-2020-8163
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb
13
reference_url https://github.com/advisories/GHSA-cr3x-7m39-c6jq
reference_id GHSA-cr3x-7m39-c6jq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cr3x-7m39-c6jq
fixed_packages
0
url pkg:gem/rails@5.0.1
purl pkg:gem/rails@5.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-3wtf-uu89-2qe5
2
vulnerability VCID-5qu2-b8gt-7qe3
3
vulnerability VCID-63gy-6njy-kbd8
4
vulnerability VCID-6yr6-a21g-dyf5
5
vulnerability VCID-877d-u9ag-qqdr
6
vulnerability VCID-895a-ydc5-zfg6
7
vulnerability VCID-8dad-dvat-1fg4
8
vulnerability VCID-a6sp-18av-wya6
9
vulnerability VCID-c8b5-d83n-nuhw
10
vulnerability VCID-es1t-7196-4kbb
11
vulnerability VCID-gsx2-9sc2-3fbr
12
vulnerability VCID-hppf-a715-r7b2
13
vulnerability VCID-jwun-grgg-2uet
14
vulnerability VCID-mnkw-23eu-bkgc
15
vulnerability VCID-t684-yp58-hkg8
16
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.0.1
aliases CVE-2020-8163, GHSA-cr3x-7m39-c6jq
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g5q6-7uav-sqh1
10
url VCID-gsx2-9sc2-3fbr
vulnerability_id VCID-gsx2-9sc2-3fbr
summary 
Moderate severity vulnerability that affects rails
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
references
0
reference_url http://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails
1
reference_url http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
2
reference_url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
3
reference_url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
4
reference_url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
5
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json
6
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-4214
reference_id
reference_type
scores
0
value 0.01632
scoring_system epss
scoring_elements 0.81937
published_at 2026-04-16T12:55:00Z
1
value 0.01632
scoring_system epss
scoring_elements 0.81837
published_at 2026-04-01T12:55:00Z
2
value 0.01632
scoring_system epss
scoring_elements 0.81848
published_at 2026-04-02T12:55:00Z
3
value 0.01632
scoring_system epss
scoring_elements 0.8187
published_at 2026-04-04T12:55:00Z
4
value 0.01632
scoring_system epss
scoring_elements 0.81866
published_at 2026-04-07T12:55:00Z
5
value 0.01632
scoring_system epss
scoring_elements 0.81893
published_at 2026-04-08T12:55:00Z
6
value 0.01632
scoring_system epss
scoring_elements 0.81899
published_at 2026-04-09T12:55:00Z
7
value 0.01632
scoring_system epss
scoring_elements 0.81919
published_at 2026-04-11T12:55:00Z
8
value 0.01632
scoring_system epss
scoring_elements 0.81907
published_at 2026-04-12T12:55:00Z
9
value 0.01632
scoring_system epss
scoring_elements 0.81902
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-4214
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
8
reference_url http://secunia.com/advisories/37446
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/37446
9
reference_url http://secunia.com/advisories/38915
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/38915
10
reference_url http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT4077
11
reference_url http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
12
reference_url http://www.debian.org/security/2011/dsa-2260
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2260
13
reference_url http://www.debian.org/security/2011/dsa-2301
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2301
14
reference_url http://www.openwall.com/lists/oss-security/2009/11/27/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/11/27/2
15
reference_url http://www.openwall.com/lists/oss-security/2009/12/08/3
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/12/08/3
16
reference_url http://www.securityfocus.com/bid/37142
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/37142
17
reference_url http://www.securitytracker.com/id?1023245
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securitytracker.com/id?1023245
18
reference_url http://www.vupen.com/english/advisories/2009/3352
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2009/3352
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=542786
reference_id 542786
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=542786
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
reference_id 558685
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
21
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-4214
reference_id CVE-2009-4214
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-4214
22
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
reference_id CVE-2009-4214.YML
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
23
reference_url https://github.com/advisories/GHSA-9p3v-wf2w-v29c
reference_id GHSA-9p3v-wf2w-v29c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-9p3v-wf2w-v29c
24
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
aliases CVE-2009-4214, GHSA-9p3v-wf2w-v29c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gsx2-9sc2-3fbr
11
url VCID-hppf-a715-r7b2
vulnerability_id VCID-hppf-a715-r7b2
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
reference_id
reference_type
scores
0
value 0.01523
scoring_system epss
scoring_elements 0.81303
published_at 2026-04-16T12:55:00Z
1
value 0.01523
scoring_system epss
scoring_elements 0.8121
published_at 2026-04-02T12:55:00Z
2
value 0.01523
scoring_system epss
scoring_elements 0.81234
published_at 2026-04-07T12:55:00Z
3
value 0.01523
scoring_system epss
scoring_elements 0.81262
published_at 2026-04-08T12:55:00Z
4
value 0.01523
scoring_system epss
scoring_elements 0.81267
published_at 2026-04-09T12:55:00Z
5
value 0.01523
scoring_system epss
scoring_elements 0.81288
published_at 2026-04-11T12:55:00Z
6
value 0.01523
scoring_system epss
scoring_elements 0.81274
published_at 2026-04-12T12:55:00Z
7
value 0.01523
scoring_system epss
scoring_elements 0.81266
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
16
reference_url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
17
reference_url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
18
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
19
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
21
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id 2164799
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
reference_id CVE-2023-22795
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
25
reference_url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id GHSA-8xww-x3g3-6jcv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
26
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/rails@6.1.7.1
purl pkg:gem/rails@6.1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-65tq-e5eb-eucj
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1
1
url pkg:gem/rails@7.0.4.1
purl pkg:gem/rails@7.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5bh7-drnb-7ygg
1
vulnerability VCID-65tq-e5eb-eucj
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1
aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2
12
url VCID-mnkw-23eu-bkgc
vulnerability_id VCID-mnkw-23eu-bkgc
summary 
Ability to forge per-form CSRF tokens in Rails
It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
reference_id
reference_type
scores
0
value 0.00443
scoring_system epss
scoring_elements 0.63345
published_at 2026-04-16T12:55:00Z
1
value 0.00443
scoring_system epss
scoring_elements 0.63311
published_at 2026-04-13T12:55:00Z
2
value 0.00443
scoring_system epss
scoring_elements 0.63348
published_at 2026-04-12T12:55:00Z
3
value 0.00443
scoring_system epss
scoring_elements 0.63364
published_at 2026-04-11T12:55:00Z
4
value 0.00443
scoring_system epss
scoring_elements 0.63347
published_at 2026-04-09T12:55:00Z
5
value 0.00443
scoring_system epss
scoring_elements 0.63329
published_at 2026-04-08T12:55:00Z
6
value 0.00443
scoring_system epss
scoring_elements 0.63278
published_at 2026-04-07T12:55:00Z
7
value 0.00443
scoring_system epss
scoring_elements 0.63312
published_at 2026-04-04T12:55:00Z
8
value 0.00443
scoring_system epss
scoring_elements 0.63284
published_at 2026-04-02T12:55:00Z
9
value 0.00443
scoring_system epss
scoring_elements 0.63225
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
12
reference_url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
reference_id
reference_type
scores
url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
13
reference_url https://hackerone.com/reports/732415
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/732415
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
reference_id 1843152
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
17
reference_url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
reference_id GHSA-jp5v-5gx4-jmj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/rails@5.2.4.3
purl pkg:gem/rails@5.2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-gjey-bqtd-kqa1
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3
1
url pkg:gem/rails@6.0.3.1
purl pkg:gem/rails@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-1bxs-yghe-cyck
2
vulnerability VCID-1xgz-hwng-n3eq
3
vulnerability VCID-5qu2-b8gt-7qe3
4
vulnerability VCID-63gy-6njy-kbd8
5
vulnerability VCID-65tq-e5eb-eucj
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-wg3a-j2dp-ayh4
10
vulnerability VCID-wyy6-h8bq-vyde
11
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1
aliases CVE-2020-8166, GHSA-jp5v-5gx4-jmj9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mnkw-23eu-bkgc
13
url VCID-n5fx-u6fs-vydu
vulnerability_id VCID-n5fx-u6fs-vydu
summary 
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
references
0
reference_url http://openwall.com/lists/oss-security/2014/02/18/9
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/02/18/9
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0080.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0080.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-0080
reference_id
reference_type
scores
0
value 0.00248
scoring_system epss
scoring_elements 0.48114
published_at 2026-04-16T12:55:00Z
1
value 0.00248
scoring_system epss
scoring_elements 0.48053
published_at 2026-04-04T12:55:00Z
2
value 0.00248
scoring_system epss
scoring_elements 0.48003
published_at 2026-04-07T12:55:00Z
3
value 0.00248
scoring_system epss
scoring_elements 0.48056
published_at 2026-04-08T12:55:00Z
4
value 0.00248
scoring_system epss
scoring_elements 0.4805
published_at 2026-04-12T12:55:00Z
5
value 0.00248
scoring_system epss
scoring_elements 0.48074
published_at 2026-04-11T12:55:00Z
6
value 0.00248
scoring_system epss
scoring_elements 0.48062
published_at 2026-04-13T12:55:00Z
7
value 0.00248
scoring_system epss
scoring_elements 0.47995
published_at 2026-04-01T12:55:00Z
8
value 0.00248
scoring_system epss
scoring_elements 0.48033
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-0080
3
reference_url https://github.com/advisories/GHSA-hqf9-rc9j-5fmj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-hqf9-rc9j-5fmj
4
reference_url https://github.com/rails/rails/tree/main/activerecord
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/tree/main/activerecord
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-0080.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-0080.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/Wu96YkTUR6s
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/Wu96YkTUR6s
7
reference_url https://web.archive.org/web/20210301004521/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210301004521/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1065517
reference_id 1065517
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1065517
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-0080
reference_id CVE-2014-0080
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-0080
fixed_packages
0
url pkg:gem/rails@4.0.3
purl pkg:gem/rails@4.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-35rt-t6e1-pfa6
2
vulnerability VCID-3wtf-uu89-2qe5
3
vulnerability VCID-63gy-6njy-kbd8
4
vulnerability VCID-877d-u9ag-qqdr
5
vulnerability VCID-895a-ydc5-zfg6
6
vulnerability VCID-8dad-dvat-1fg4
7
vulnerability VCID-a6sp-18av-wya6
8
vulnerability VCID-c8b5-d83n-nuhw
9
vulnerability VCID-es1t-7196-4kbb
10
vulnerability VCID-g5q6-7uav-sqh1
11
vulnerability VCID-gsx2-9sc2-3fbr
12
vulnerability VCID-hppf-a715-r7b2
13
vulnerability VCID-mnkw-23eu-bkgc
14
vulnerability VCID-pb5f-g4uc-r7fp
15
vulnerability VCID-s5ah-tf63-a7cw
16
vulnerability VCID-t684-yp58-hkg8
17
vulnerability VCID-v3r3-bwp5-a3bn
18
vulnerability VCID-wg3a-j2dp-ayh4
19
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.3
1
url pkg:gem/rails@4.1.0.beta2
purl pkg:gem/rails@4.1.0.beta2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-3wtf-uu89-2qe5
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-877d-u9ag-qqdr
4
vulnerability VCID-895a-ydc5-zfg6
5
vulnerability VCID-8dad-dvat-1fg4
6
vulnerability VCID-a6sp-18av-wya6
7
vulnerability VCID-c8b5-d83n-nuhw
8
vulnerability VCID-es1t-7196-4kbb
9
vulnerability VCID-g5q6-7uav-sqh1
10
vulnerability VCID-gsx2-9sc2-3fbr
11
vulnerability VCID-hppf-a715-r7b2
12
vulnerability VCID-mnkw-23eu-bkgc
13
vulnerability VCID-pb5f-g4uc-r7fp
14
vulnerability VCID-s5ah-tf63-a7cw
15
vulnerability VCID-t684-yp58-hkg8
16
vulnerability VCID-v3r3-bwp5-a3bn
17
vulnerability VCID-wg3a-j2dp-ayh4
18
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.1.0.beta2
aliases CVE-2014-0080, GHSA-hqf9-rc9j-5fmj, OSV-103438
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n5fx-u6fs-vydu
14
url VCID-pmrb-t3bm-zkb6
vulnerability_id VCID-pmrb-t3bm-zkb6
summary 
Denial of Service Vulnerability in Action View
There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2013-1794.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-1794.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2014-0008.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0008.html
6
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-6414
reference_id
reference_type
scores
0
value 0.70843
scoring_system epss
scoring_elements 0.98688
published_at 2026-04-02T12:55:00Z
1
value 0.70843
scoring_system epss
scoring_elements 0.98687
published_at 2026-04-01T12:55:00Z
2
value 0.70843
scoring_system epss
scoring_elements 0.98702
published_at 2026-04-16T12:55:00Z
3
value 0.70843
scoring_system epss
scoring_elements 0.987
published_at 2026-04-13T12:55:00Z
4
value 0.70843
scoring_system epss
scoring_elements 0.98699
published_at 2026-04-12T12:55:00Z
5
value 0.70843
scoring_system epss
scoring_elements 0.98696
published_at 2026-04-09T12:55:00Z
6
value 0.70843
scoring_system epss
scoring_elements 0.98695
published_at 2026-04-07T12:55:00Z
7
value 0.70843
scoring_system epss
scoring_elements 0.98691
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-6414
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
14
reference_url http://seclists.org/oss-sec/2013/q4/400
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/400
15
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml
17
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
18
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
19
reference_url https://puppet.com/security/cve/cve-2013-6414
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-6414
20
reference_url https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836
21
reference_url https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414
22
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
23
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
24
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
25
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
26
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
reference_id
reference_type
scores
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
27
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036483
reference_id 1036483
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036483
28
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-6414
reference_id CVE-2013-6414
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-6414
29
reference_url https://github.com/advisories/GHSA-mpxf-gcw2-pw5q
reference_id GHSA-mpxf-gcw2-pw5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mpxf-gcw2-pw5q
30
reference_url https://access.redhat.com/errata/RHSA-2013:1794
reference_id RHSA-2013:1794
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:1794
31
reference_url https://access.redhat.com/errata/RHSA-2014:0008
reference_id RHSA-2014:0008
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0008
fixed_packages
0
url pkg:gem/rails@4.0.2
purl pkg:gem/rails@4.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2mcx-b9k2-83bh
1
vulnerability VCID-35rt-t6e1-pfa6
2
vulnerability VCID-3wtf-uu89-2qe5
3
vulnerability VCID-63gy-6njy-kbd8
4
vulnerability VCID-877d-u9ag-qqdr
5
vulnerability VCID-895a-ydc5-zfg6
6
vulnerability VCID-8dad-dvat-1fg4
7
vulnerability VCID-a6sp-18av-wya6
8
vulnerability VCID-c8b5-d83n-nuhw
9
vulnerability VCID-es1t-7196-4kbb
10
vulnerability VCID-g5q6-7uav-sqh1
11
vulnerability VCID-gsx2-9sc2-3fbr
12
vulnerability VCID-hppf-a715-r7b2
13
vulnerability VCID-mnkw-23eu-bkgc
14
vulnerability VCID-n5fx-u6fs-vydu
15
vulnerability VCID-pb5f-g4uc-r7fp
16
vulnerability VCID-s5ah-tf63-a7cw
17
vulnerability VCID-t684-yp58-hkg8
18
vulnerability VCID-v3r3-bwp5-a3bn
19
vulnerability VCID-wg3a-j2dp-ayh4
20
vulnerability VCID-z1jv-4ga2-7kd1
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.2
aliases CVE-2013-6414, GHSA-mpxf-gcw2-pw5q, OSV-100525
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pmrb-t3bm-zkb6
15
url VCID-t684-yp58-hkg8
vulnerability_id VCID-t684-yp58-hkg8
summary 
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```
Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
  
Impact
------
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
-----------
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the `raw` argument should be double-checked to ensure that they conform to the expected format.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
reference_id
reference_type
scores
0
value 0.90128
scoring_system epss
scoring_elements 0.99588
published_at 2026-04-13T12:55:00Z
1
value 0.90128
scoring_system epss
scoring_elements 0.99589
published_at 2026-04-16T12:55:00Z
2
value 0.90128
scoring_system epss
scoring_elements 0.99584
published_at 2026-04-01T12:55:00Z
3
value 0.90128
scoring_system epss
scoring_elements 0.99585
published_at 2026-04-02T12:55:00Z
4
value 0.90128
scoring_system epss
scoring_elements 0.99586
published_at 2026-04-04T12:55:00Z
5
value 0.90128
scoring_system epss
scoring_elements 0.99587
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
13
reference_url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
14
reference_url https://hackerone.com/reports/413388
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/413388
15
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
16
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
18
reference_url https://security.netapp.com/advisory/ntap-20250509-0002
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250509-0002
19
reference_url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
reference_id 1843072
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
22
reference_url https://github.com/advisories/GHSA-2p68-f74v-9wc6
reference_id GHSA-2p68-f74v-9wc6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2p68-f74v-9wc6
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:gem/rails@5.2.4.3
purl pkg:gem/rails@5.2.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5qu2-b8gt-7qe3
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-gjey-bqtd-kqa1
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-wg3a-j2dp-ayh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.3
1
url pkg:gem/rails@6.0.3.1
purl pkg:gem/rails@6.0.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-12x8-jxdf-jqdz
1
vulnerability VCID-1bxs-yghe-cyck
2
vulnerability VCID-1xgz-hwng-n3eq
3
vulnerability VCID-5qu2-b8gt-7qe3
4
vulnerability VCID-63gy-6njy-kbd8
5
vulnerability VCID-65tq-e5eb-eucj
6
vulnerability VCID-gjey-bqtd-kqa1
7
vulnerability VCID-hppf-a715-r7b2
8
vulnerability VCID-jwun-grgg-2uet
9
vulnerability VCID-wg3a-j2dp-ayh4
10
vulnerability VCID-wyy6-h8bq-vyde
11
vulnerability VCID-zy7d-3db6-sydw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.1
aliases CVE-2020-8165, GHSA-2p68-f74v-9wc6
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t684-yp58-hkg8
16
url VCID-wg3a-j2dp-ayh4
vulnerability_id VCID-wg3a-j2dp-ayh4
summary 
Possible DoS Vulnerability in Action Controller Token Authentication
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.

Versions Affected:  >= 4.0.0
Not affected:       < 4.0.0
Fixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact
------
Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.  Impacted code will look something like this:

```
class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end
```

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around the issue:

```ruby
module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 5-2-http-authentication-dos.patch - Patch for 5.2 series
* 6-0-http-authentication-dos.patch - Patch for 6.0 series
* 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
reference_id
reference_type
scores
0
value 0.07856
scoring_system epss
scoring_elements 0.92022
published_at 2026-04-16T12:55:00Z
1
value 0.07856
scoring_system epss
scoring_elements 0.92007
published_at 2026-04-12T12:55:00Z
2
value 0.07856
scoring_system epss
scoring_elements 0.92004
published_at 2026-04-13T12:55:00Z
3
value 0.07856
scoring_system epss
scoring_elements 0.92
published_at 2026-04-08T12:55:00Z
4
value 0.07856
scoring_system epss
scoring_elements 0.91987
published_at 2026-04-07T12:55:00Z
5
value 0.07856
scoring_system epss
scoring_elements 0.91981
published_at 2026-04-04T12:55:00Z
6
value 0.07856
scoring_system epss
scoring_elements 0.91966
published_at 2026-04-01T12:55:00Z
7
value 0.07856
scoring_system epss
scoring_elements 0.91974
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/releases/tag/v5.2.4.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.4.6
9
reference_url https://github.com/rails/rails/releases/tag/v5.2.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.6
10
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
11
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
14
reference_url https://hackerone.com/reports/1101125
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1101125
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
16
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
17
reference_url https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210805-0009/
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id 1961379
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
20
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
21
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
22
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
23
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
24
reference_url https://github.com/advisories/GHSA-7wjx-3g7j-8584
reference_id GHSA-7wjx-3g7j-8584
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7wjx-3g7j-8584
25
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:gem/rails@5.2.4.6
purl pkg:gem/rails@5.2.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-65tq-e5eb-eucj
2
vulnerability VCID-hppf-a715-r7b2
3
vulnerability VCID-jwun-grgg-2uet
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.6
1
url pkg:gem/rails@5.2.6
purl pkg:gem/rails@5.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63gy-6njy-kbd8
1
vulnerability VCID-65tq-e5eb-eucj
2
vulnerability VCID-hppf-a715-r7b2
3
vulnerability VCID-jwun-grgg-2uet
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.6
2
url pkg:gem/rails@6.0.3.7
purl pkg:gem/rails@6.0.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-63gy-6njy-kbd8
2
vulnerability VCID-65tq-e5eb-eucj
3
vulnerability VCID-hppf-a715-r7b2
4
vulnerability VCID-jwun-grgg-2uet
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7
3
url pkg:gem/rails@6.1.3.2
purl pkg:gem/rails@6.1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bxs-yghe-cyck
1
vulnerability VCID-1x8k-t8mr-3fgp
2
vulnerability VCID-63gy-6njy-kbd8
3
vulnerability VCID-65tq-e5eb-eucj
4
vulnerability VCID-hppf-a715-r7b2
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-msda-xqbp-qfdd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.2
aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wg3a-j2dp-ayh4
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rails@4.0.0.beta1