Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
Typedeb
Namespacedebian
Namerails
Version2:6.0.3.7+dfsg-2+deb11u2
Qualifiers
distro trixie
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2:6.0.3.7+dfsg-2+deb11u3
Latest_non_vulnerable_version2:7.2.3.1+dfsg-1
Affected_by_vulnerabilities
0
url VCID-2ghz-4sfg-2feh
vulnerability_id VCID-2ghz-4sfg-2feh
summary rails: rails-activesupport: Active Support: Denial of Service via crafted long digit strings
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.06013
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33169
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
6
reference_url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
7
reference_url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/
url https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33169
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
reference_id 2450556
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450556
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33169, GHSA-cg4j-q9v8-6v38
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2ghz-4sfg-2feh
1
url VCID-5bzk-rhe1-fqdc
vulnerability_id VCID-5bzk-rhe1-fqdc
summary Rails: Active Storage: Rails Active Storage: Denial of Service via unbounded Range header
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33174.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06895
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33174
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33174
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
6
reference_url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
7
reference_url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:40:23Z/
url https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33174.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33174.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33174
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
reference_id 2450544
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450544
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33174, GHSA-r46p-8f7g-vvvg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5bzk-rhe1-fqdc
2
url VCID-7zz5-k99f-v3f6
vulnerability_id VCID-7zz5-k99f-v3f6
summary Rails: Active Storage: Rails Active Storage: Content type bypass via arbitrary metadata in direct uploads
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33173.json
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33173.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33173
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03113
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33173
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33173
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33173
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
6
reference_url https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
7
reference_url https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T14:14:22Z/
url https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33173.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33173.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33173
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33173
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450545
reference_id 2450545
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450545
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33173, GHSA-qcfx-2mfw-w4cg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7zz5-k99f-v3f6
3
url VCID-f48b-ashx-53bg
vulnerability_id VCID-f48b-ashx-53bg
summary actionview: Action View: Cross-Site Scripting (XSS) via blank HTML attribute names
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33168.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33168.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33168
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07655
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33168
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33168
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33168
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
6
reference_url https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
7
reference_url https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:36:28Z/
url https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2026-33168.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2026-33168.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33168
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33168
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450549
reference_id 2450549
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450549
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33168, GHSA-v55j-83pf-r9cq
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f48b-ashx-53bg
4
url VCID-gbvf-y28h-kqax
vulnerability_id VCID-gbvf-y28h-kqax
summary Rails: Active Storage: Active Storage (Rails): Arbitrary file access via path traversal in blob keys
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33195.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33195
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11065
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33195
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33195
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33195
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
6
reference_url https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
7
reference_url https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
reference_id
reference_type
scores
0
value 8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:10:57Z/
url https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33195.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33195
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33195
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450546
reference_id 2450546
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450546
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33195, GHSA-9xrj-h377-fr87
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbvf-y28h-kqax
5
url VCID-hdsb-jx4g-fqf6
vulnerability_id VCID-hdsb-jx4g-fqf6
summary Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01144
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33170
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
6
reference_url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
7
reference_url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/
url https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33170
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
reference_id 2450543
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450543
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33170, GHSA-89vf-4333-qx8v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsb-jx4g-fqf6
6
url VCID-nwk7-sujd-nkc1
vulnerability_id VCID-nwk7-sujd-nkc1
summary rails: Active Storage: Unintended file deletion via crafted blob keys
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33202.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33202.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33202
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08585
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33202
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33202
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33202
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
6
reference_url https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
7
reference_url https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:42:33Z/
url https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33202.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33202.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33202
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33202
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450547
reference_id 2450547
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450547
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33202, GHSA-73f9-jhhh-hr5m
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nwk7-sujd-nkc1
7
url VCID-urpb-uk1z-vqga
vulnerability_id VCID-urpb-uk1z-vqga
summary rails: activestorage: Active Storage: Denial of Service via HTTP Range header processing
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33658.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33658
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.06097
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33658
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33658
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
5
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
6
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
7
reference_url https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:42:16Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2026-33658.yml
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33658
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33658
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2451983
reference_id 2451983
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2451983
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33658, GHSA-p9fm-f462-ggrg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-urpb-uk1z-vqga
8
url VCID-v3mu-95kt-ufc6
vulnerability_id VCID-v3mu-95kt-ufc6
summary Rails: Active Support: Active Support: Denial of Service via large scientific notation strings
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.09295
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33176
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
6
reference_url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
7
reference_url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
8
reference_url https://github.com/rails/rails/releases/tag/v7.2.3.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v7.2.3.1
9
reference_url https://github.com/rails/rails/releases/tag/v8.0.4.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.0.4.1
10
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/
url https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33176
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id 1132035
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
reference_id 2450551
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450551
16
reference_url https://access.redhat.com/errata/RHSA-2026:14835
reference_id RHSA-2026:14835
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14835
17
reference_url https://access.redhat.com/errata/RHSA-2026:14873
reference_id RHSA-2026:14873
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14873
18
reference_url https://access.redhat.com/errata/RHSA-2026:14874
reference_id RHSA-2026:14874
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:14874
fixed_packages
0
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33176, GHSA-2j26-frm8-cmj9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v3mu-95kt-ufc6
Fixing_vulnerabilities
0
url VCID-123f-6px7-3qdg
vulnerability_id VCID-123f-6px7-3qdg
summary Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` (dot dot) in a pathname.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178044.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178069.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0752.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0752.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-0752
reference_id
reference_type
scores
0
value 0.90494
scoring_system epss
scoring_elements 0.99626
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-0752
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:P/A:P
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-xrr4-p6fq-hjg7
18
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0752.yml
19
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-0752.yml
20
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
21
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-0752
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-0752
23
reference_url https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210618005620/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/335P1DcLG00/JXcBnTtZEgAJ
24
reference_url https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210621170450/http://www.securityfocus.com/bid/81801
25
reference_url https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816
26
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752
27
reference_url https://www.exploit-db.com/exploits/40561
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/40561
28
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://www.debian.org/security/2016/dsa-3464
29
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/13
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://www.openwall.com/lists/oss-security/2016/01/25/13
30
reference_url http://www.securityfocus.com/bid/81801
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://www.securityfocus.com/bid/81801
31
reference_url http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url http://www.securitytracker.com/id/1034816
32
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301963
reference_id 1301963
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301963
33
reference_url https://www.exploit-db.com/exploits/40561/
reference_id 40561
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/
url https://www.exploit-db.com/exploits/40561/
34
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/40561.rb
reference_id CVE-2016-0752
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/40561.rb
35
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
36
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
37
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-0752, GHSA-xrr4-p6fq-hjg7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-123f-6px7-3qdg
1
url VCID-1b9z-efz6-9fdu
vulnerability_id VCID-1b9z-efz6-9fdu
summary 
actionpack Improper Input Validation vulnerability
The template selection functionality in `actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/cbbbba6e4f7eaf61?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2929
reference_id
reference_type
scores
0
value 0.00814
scoring_system epss
scoring_elements 0.7458
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2929
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=731432
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=731432
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2929.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2929
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2929
9
reference_url https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
10
reference_url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
11
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
12
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
13
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
14
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
17
reference_url https://github.com/advisories/GHSA-r7q2-5gqg-6c7q
reference_id GHSA-r7q2-5gqg-6c7q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r7q2-5gqg-6c7q
18
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-2929, GHSA-r7q2-5gqg-6c7q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1b9z-efz6-9fdu
2
url VCID-1g4f-hrwm-q3gh
vulnerability_id VCID-1g4f-hrwm-q3gh
summary 
Possible ReDoS vulnerability in block_format in Action Mailer
There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact
------

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2

Credits
-------

Thanks to yuki_osaki for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
reference_id
reference_type
scores
0
value 0.00326
scoring_system epss
scoring_elements 0.55793
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47889
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
7
reference_url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
reference_id 0e5694f4d32544532d2301a9b4084eacb6986e94
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
reference_id 2319033
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319033
10
reference_url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_id 3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
11
reference_url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
reference_id 985f1923fa62806ff676e41de67c3b4552131ab9
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
12
reference_url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
reference_id be898cc996986decfe238341d96b2a6573b8fd2e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/
url https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
13
reference_url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
reference_id GHSA-h47h-mwp9-c6q6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h47h-mwp9-c6q6
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47889, GHSA-h47h-mwp9-c6q6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1g4f-hrwm-q3gh
3
url VCID-1xbd-73qv-mff9
vulnerability_id VCID-1xbd-73qv-mff9
summary 
actionpack Improper Authentication vulnerability
The `decode_credentials` method in `actionpack/lib/action_controller/metal/http_authentication.rb` in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with_http_digest` helper method, as demonstrated by the `authenticate_or_request_with_http_digest` method.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
1
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3424.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3424.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-3424
reference_id
reference_type
scores
0
value 0.00981
scoring_system epss
scoring_elements 0.7707
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-3424
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/3719bd3e95523c5518507dbe44f260f252930600
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/3719bd3e95523c5518507dbe44f260f252930600
6
reference_url https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-3424
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-3424
8
reference_url http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=843711
reference_id 843711
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=843711
10
reference_url https://github.com/advisories/GHSA-92w9-2pqw-rhjj
reference_id GHSA-92w9-2pqw-rhjj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-92w9-2pqw-rhjj
11
reference_url https://access.redhat.com/errata/RHSA-2012:1542
reference_id RHSA-2012:1542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2012:1542
12
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-3424, GHSA-92w9-2pqw-rhjj, OSV-84243
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1xbd-73qv-mff9
4
url VCID-1yz6-agyw-f7ef
vulnerability_id VCID-1yz6-agyw-f7ef
summary 
Moderate severity vulnerability that affects rails
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
references
0
reference_url http://bugs.gentoo.org/show_bug.cgi?id=195315
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://bugs.gentoo.org/show_bug.cgi?id=195315
1
reference_url http://docs.info.apple.com/article.html?artnum=307179
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://docs.info.apple.com/article.html?artnum=307179
2
reference_url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2007-5379
reference_id
reference_type
scores
0
value 0.10596
scoring_system epss
scoring_elements 0.93402
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2007-5379
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379
5
reference_url http://security.gentoo.org/glsa/glsa-200711-17.xml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://security.gentoo.org/glsa/glsa-200711-17.xml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5379.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2007-5379
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2007-5379
9
reference_url https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
10
reference_url https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090602000500/http://dev.rubyonrails.org/ticket/8453
11
reference_url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
12
reference_url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
13
reference_url http://www.vupen.com/english/advisories/2007/3508
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/3508
14
reference_url http://www.vupen.com/english/advisories/2007/4238
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/4238
15
reference_url https://github.com/advisories/GHSA-fjfg-q662-gm6j
reference_id GHSA-fjfg-q662-gm6j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fjfg-q662-gm6j
16
reference_url https://security.gentoo.org/glsa/200711-17
reference_id GLSA-200711-17
reference_type
scores
url https://security.gentoo.org/glsa/200711-17
fixed_packages
0
url pkg:deb/debian/rails@1.2.5-1?distro=trixie
purl pkg:deb/debian/rails@1.2.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.2.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2007-5379, GHSA-fjfg-q662-gm6j, OSV-40717
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1yz6-agyw-f7ef
5
url VCID-25ru-4qks-7yf3
vulnerability_id VCID-25ru-4qks-7yf3
summary 
Actionpack Open Redirect Vulnerability
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22881
reference_id
reference_type
scores
0
value 0.15453
scoring_system epss
scoring_elements 0.94766
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22881
2
reference_url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
4
reference_url https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md
8
reference_url https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml
10
reference_url https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
11
reference_url https://hackerone.com/reports/1047447
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1047447
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22881
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22881
14
reference_url https://rubygems.org/gems/actionpack
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/actionpack
15
reference_url http://www.openwall.com/lists/oss-security/2021/05/05/2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/05/05/2
16
reference_url http://www.openwall.com/lists/oss-security/2021/08/20/1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/08/20/1
17
reference_url http://www.openwall.com/lists/oss-security/2021/12/14/5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/12/14/5
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1930211
reference_id 1930211
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1930211
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.5%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.5%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.5%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22881, GHSA-8877-prq4-9xfw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-25ru-4qks-7yf3
6
url VCID-2q3z-t4mp-aqdx
vulnerability_id VCID-2q3z-t4mp-aqdx
summary 
Exposure of Sensitive Information to an Unauthorized Actor in activestorage
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production. Other storage services such as S3 or Azure aren't affected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-16477
reference_id
reference_type
scores
0
value 0.0026
scoring_system epss
scoring_elements 0.49561
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-16477
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16477
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16477
2
reference_url https://github.com/advisories/GHSA-7rr7-rcjw-56vj
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-7rr7-rcjw-56vj
3
reference_url https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/d/msg/rubyonrails-security/3KQRnXDIuLg/mByx5KkqBAAJ
4
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-16477
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-16477
6
reference_url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
7
reference_url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914848
reference_id 914848
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914848
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2018-16477, GHSA-7rr7-rcjw-56vj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q3z-t4mp-aqdx
7
url VCID-3rn4-abmh-nkhv
vulnerability_id VCID-3rn4-abmh-nkhv
summary 
actionpack allows bypass of database-query restrictions
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2013-1794.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-1794.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2014-0008.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0008.html
6
reference_url http://rhn.redhat.com/errata/RHSA-2014-0469.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0469.html
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6417.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6417.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-6417
reference_id
reference_type
scores
0
value 0.00512
scoring_system epss
scoring_elements 0.66784
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-6417
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
14
reference_url http://seclists.org/oss-sec/2013/q4/403
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/403
15
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6417.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6417.yml
17
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
18
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-6417
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-6417
20
reference_url https://puppet.com/security/cve/cve-2013-6417
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-6417
21
reference_url https://web.archive.org/web/20160806051251/https://puppet.com/security/cve/cve-2013-6417
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160806051251/https://puppet.com/security/cve/cve-2013-6417
22
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
23
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
24
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036409
reference_id 1036409
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036409
26
reference_url https://github.com/advisories/GHSA-wpw7-wxjm-cw8r
reference_id GHSA-wpw7-wxjm-cw8r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wpw7-wxjm-cw8r
27
reference_url https://access.redhat.com/errata/RHSA-2013:1794
reference_id RHSA-2013:1794
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:1794
28
reference_url https://access.redhat.com/errata/RHSA-2014:0008
reference_id RHSA-2014:0008
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0008
29
reference_url https://access.redhat.com/errata/RHSA-2014:0469
reference_id RHSA-2014:0469
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0469
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-6417, GHSA-wpw7-wxjm-cw8r, OSV-100527
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rn4-abmh-nkhv
8
url VCID-42t7-kbeq-eqcm
vulnerability_id VCID-42t7-kbeq-eqcm
summary 
Circumvention of file size limits in ActiveStorage
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.

Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8162.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
reference_id
reference_type
scores
0
value 0.01549
scoring_system epss
scoring_elements 0.81712
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8162
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://github.com/aws/aws-sdk-ruby
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby
9
reference_url https://github.com/aws/aws-sdk-ruby/issues/2098
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/aws/aws-sdk-ruby/issues/2098
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2020-8162.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
12
reference_url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/PjU3946mreQ
13
reference_url https://hackerone.com/reports/789579
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/789579
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8162
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
reference_id 1843005
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843005
17
reference_url https://github.com/advisories/GHSA-m42x-37p3-fv5w
reference_id GHSA-m42x-37p3-fv5w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m42x-37p3-fv5w
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8162, GHSA-m42x-37p3-fv5w
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-42t7-kbeq-eqcm
9
url VCID-4bzb-ft3d-dkgg
vulnerability_id VCID-4bzb-ft3d-dkgg
summary 
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/form_tag_helper.rb` in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the `prompt` field to the `select_tag` helper.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3463.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3463.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-3463
reference_id
reference_type
scores
0
value 0.00333
scoring_system epss
scoring_elements 0.56331
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-3463
3
reference_url https://github.com/rails/rails/commit/6d0526db91afb0675c2ad3d871529d1536303c64
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/6d0526db91afb0675c2ad3d871529d1536303c64
4
reference_url https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/3463/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/3463/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ
5
reference_url https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain
6
reference_url https://groups.google.com/g/rubyonrails-security/c/fV3QUToSMSw/m/eHBSFOUYHpYJ?pli=1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/fV3QUToSMSw/m/eHBSFOUYHpYJ?pli=1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-3463
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-3463
8
reference_url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
9
reference_url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=847196
reference_id 847196
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=847196
11
reference_url https://github.com/advisories/GHSA-98mf-8f57-64qf
reference_id GHSA-98mf-8f57-64qf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-98mf-8f57-64qf
12
reference_url https://access.redhat.com/errata/RHSA-2012:1542
reference_id RHSA-2012:1542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2012:1542
13
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-3463, GHSA-98mf-8f57-64qf, OSV-84515
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4bzb-ft3d-dkgg
10
url VCID-4fyg-vxpj-c7d7
vulnerability_id VCID-4fyg-vxpj-c7d7
summary rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
reference_id
reference_type
scores
0
value 0.01264
scoring_system epss
scoring_elements 0.7975
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22885
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
7
reference_url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
8
reference_url https://hackerone.com/reports/1106652
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1106652
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22885
10
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
reference_id 1957441
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1957441
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
13
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
14
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
15
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
16
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
17
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22885, GHSA-hjg4-8q5f-x6fm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4fyg-vxpj-c7d7
11
url VCID-4w1v-z4zj-6ydp
vulnerability_id VCID-4w1v-z4zj-6ydp
summary 
Untrusted users can run pending migrations in production in Rails
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected:  6.0.0 < rails < 6.0.3.2
Not affected:       Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)
Fixed Versions:     rails >= 6.0.3.2

Impact
------

Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.

Workarounds
-----------

Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:

`config.middleware.delete ActionDispatch::ActionableExceptions`
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8185.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8185
reference_id
reference_type
scores
0
value 0.00679
scoring_system epss
scoring_elements 0.7189
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8185
2
reference_url https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2
3
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml
4
reference_url https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0
5
reference_url https://hackerone.com/reports/899069
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/899069
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8185
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8185
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1852380
reference_id 1852380
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1852380
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081
reference_id 964081
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964081
11
reference_url https://github.com/advisories/GHSA-c6qr-h5vq-59jc
reference_id GHSA-c6qr-h5vq-59jc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c6qr-h5vq-59jc
12
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8185, GHSA-c6qr-h5vq-59jc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4w1v-z4zj-6ydp
12
url VCID-4wmv-rurk-tub6
vulnerability_id VCID-4wmv-rurk-tub6
summary 
Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

# Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

# Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
reference_id
reference_type
scores
0
value 0.00418
scoring_system epss
scoring_elements 0.62058
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28120
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
4
reference_url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28120
11
reference_url https://security.netapp.com/advisory/ntap-20240202-0006
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0006
12
reference_url https://www.debian.org/security/2023/dsa-5389
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://www.debian.org/security/2023/dsa-5389
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
reference_id 1033262
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
reference_id 2179637
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179637
15
reference_url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
reference_id GHSA-pj73-v5mw-pm9j
reference_type
scores
url https://github.com/advisories/GHSA-pj73-v5mw-pm9j
16
reference_url https://security.netapp.com/advisory/ntap-20240202-0006/
reference_id ntap-20240202-0006
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://security.netapp.com/advisory/ntap-20240202-0006/
17
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
18
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
reference_id UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
20
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
reference_id ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-28120, GHSA-pj73-v5mw-pm9j, GMS-2023-765
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4wmv-rurk-tub6
13
url VCID-58sa-6uag-z7hp
vulnerability_id VCID-58sa-6uag-z7hp
summary 
actionpack Improper Input Validation vulnerability
`active_support/core_ext/hash/conversions.rb` in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2013-0153.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0153.html
1
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2013-0155.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0155.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0156.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0156.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-0156
reference_id
reference_type
scores
0
value 0.91907
scoring_system epss
scoring_elements 0.99708
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-0156
5
reference_url https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!searchin/rubyonrails-security/2013-0156/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
9
reference_url https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-0156
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-0156
11
reference_url https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140111025708/http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
12
reference_url https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160415043747/https://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
13
reference_url https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156
14
reference_url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
15
reference_url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
16
reference_url http://www.debian.org/security/2013/dsa-2604
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2013/dsa-2604
17
reference_url http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
18
reference_url http://www.insinuator.net/2013/01/rails-yaml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.insinuator.net/2013/01/rails-yaml
19
reference_url http://www.insinuator.net/2013/01/rails-yaml/
reference_id
reference_type
scores
url http://www.insinuator.net/2013/01/rails-yaml/
20
reference_url http://www.kb.cert.org/vuls/id/380039
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.kb.cert.org/vuls/id/380039
21
reference_url http://www.kb.cert.org/vuls/id/628463
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.kb.cert.org/vuls/id/628463
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697722
reference_id 697722
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697722
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=892870
reference_id 892870
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=892870
24
reference_url https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156/
reference_id CVE-2013-0156
reference_type
scores
url https://web.archive.org/web/20160806154149/https://puppet.com/security/cve/cve-2013-0156/
25
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24019.rb
reference_id CVE-2013-0156;OSVDB-89026
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24019.rb
26
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/27527.rb
reference_id CVE-2013-0156;OSVDB-89026
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/27527.rb
27
reference_url https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
reference_id GHSA-jmgw-6vjg-jjwg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jmgw-6vjg-jjwg
28
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
29
reference_url https://access.redhat.com/errata/RHSA-2013:0153
reference_id RHSA-2013:0153
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0153
30
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
31
reference_url https://access.redhat.com/errata/RHSA-2013:0155
reference_id RHSA-2013:0155
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0155
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-0156, GHSA-jmgw-6vjg-jjwg, OSV-89026
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-58sa-6uag-z7hp
14
url VCID-5a2t-fre4-zkay
vulnerability_id VCID-5a2t-fre4-zkay
summary 
Cross-site Scripting in actionpack
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/form_options_helper.rb` in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/6fca4f5c47705488?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075740.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1099.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1099.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-1099
reference_id
reference_type
scores
0
value 0.00399
scoring_system epss
scoring_elements 0.60937
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-1099
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=799276
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=799276
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099
7
reference_url https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-2xjj-5x6h-8vmf
8
reference_url https://github.com/rails/rails/commit/9435f5a479317458c558ae743b7d876dd5a5db20
reference_id
reference_type
scores
url https://github.com/rails/rails/commit/9435f5a479317458c558ae743b7d876dd5a5db20
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-1099.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2012-1099.yml
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-79727.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-79727.yml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-1099
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-1099
12
reference_url http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
13
reference_url http://www.debian.org/security/2012/dsa-2466
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2012/dsa-2466
14
reference_url http://www.openwall.com/lists/oss-security/2012/03/02/6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2012/03/02/6
15
reference_url http://www.openwall.com/lists/oss-security/2012/03/03/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2012/03/03/1
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-1099, GHSA-2xjj-5x6h-8vmf, OSV-79727
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5a2t-fre4-zkay
15
url VCID-5h8t-y9tc-sqgg
vulnerability_id VCID-5h8t-y9tc-sqgg
summary 
Moderate severity vulnerability that affects rails
Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
references
0
reference_url http://bugs.gentoo.org/show_bug.cgi?id=195315
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://bugs.gentoo.org/show_bug.cgi?id=195315
1
reference_url http://dev.rubyonrails.org/ticket/8371
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://dev.rubyonrails.org/ticket/8371
2
reference_url http://osvdb.org/36378
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://osvdb.org/36378
3
reference_url http://pastie.caboo.se/65550.txt
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://pastie.caboo.se/65550.txt
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2007-3227
reference_id
reference_type
scores
0
value 0.13946
scoring_system epss
scoring_elements 0.94437
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2007-3227
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227
6
reference_url http://secunia.com/advisories/25699
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/25699
7
reference_url http://secunia.com/advisories/27657
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/27657
8
reference_url http://secunia.com/advisories/27756
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/27756
9
reference_url http://security.gentoo.org/glsa/glsa-200711-17.xml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://security.gentoo.org/glsa/glsa-200711-17.xml
10
reference_url https://github.com/advisories/GHSA-gm25-fpmr-43fj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-gm25-fpmr-43fj
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-3227.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2007-3227
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2007-3227
14
reference_url http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release
15
reference_url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
16
reference_url http://www.novell.com/linux/security/advisories/2007_24_sr.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2007_24_sr.html
17
reference_url http://www.securityfocus.com/bid/24161
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/24161
18
reference_url http://www.vupen.com/english/advisories/2007/2216
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/2216
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429177
reference_id 429177
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429177
20
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/30089.txt
reference_id CVE-2007-3227;OSVDB-36378
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/30089.txt
21
reference_url https://www.securityfocus.com/bid/24161/info
reference_id CVE-2007-3227;OSVDB-36378
reference_type exploit
scores
url https://www.securityfocus.com/bid/24161/info
22
reference_url https://security.gentoo.org/glsa/200711-17
reference_id GLSA-200711-17
reference_type
scores
url https://security.gentoo.org/glsa/200711-17
fixed_packages
0
url pkg:deb/debian/rails@1.2.5-1?distro=trixie
purl pkg:deb/debian/rails@1.2.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.2.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2007-3227, GHSA-gm25-fpmr-43fj, OSV-36378
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5h8t-y9tc-sqgg
16
url VCID-5jbk-xam9-4uca
vulnerability_id VCID-5jbk-xam9-4uca
summary 
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact
  If the specified malicious HTML clipboard content is provided to a
  contenteditable element, this could result in the arbitrary execution
  of javascript on the origin in question.

Releases
  The FIXED releases are available at the normal locations.

Workarounds
  We recommend that all users upgrade to one of the FIXED versions.
  In the meantime, users can attempt to mitigate this vulnerability
  by removing the contenteditable attribute from elements in pages
  that rails-ujs will interact with.

Patches
  To aid users who aren’t able to upgrade immediately we have provided
  patches for the two supported release series. They are in git-am
  format and consist of a single changeset.

* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
  We would like to thank ryotak 15 for reporting this!

* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-main.patch (8.9 KB)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23913.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23913.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-23913
reference_id
reference_type
scores
0
value 0.00156
scoring_system epss
scoring_elements 0.3614
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-23913
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
5
reference_url https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
9
reference_url https://github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.yml
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.yml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-23913
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-23913
12
reference_url https://security.netapp.com/advisory/ntap-20240605-0007
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240605-0007
13
reference_url https://www.debian.org/security/2023/dsa-5389
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://www.debian.org/security/2023/dsa-5389
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2182160
reference_id 2182160
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2182160
15
reference_url https://github.com/advisories/GHSA-xp5h-f8jf-rc8q
reference_id GHSA-xp5h-f8jf-rc8q
reference_type
scores
url https://github.com/advisories/GHSA-xp5h-f8jf-rc8q
16
reference_url https://security.netapp.com/advisory/ntap-20240605-0007/
reference_id ntap-20240605-0007
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T17:07:37Z/
url https://security.netapp.com/advisory/ntap-20240605-0007/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-23913, GHSA-xp5h-f8jf-rc8q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5jbk-xam9-4uca
17
url VCID-5pfg-7ntp-eff4
vulnerability_id VCID-5pfg-7ntp-eff4
summary 
Cross-site Scripting vulnerability in i18n translations helper method
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5?pli=1
1
reference_url http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/c65c24fbc4b6dd82?dmode=source&output=gplain
2
reference_url http://openwall.com/lists/oss-security/2011/11/18/8
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2011/11/18/8
3
reference_url http://osvdb.org/77199
reference_id
reference_type
scores
url http://osvdb.org/77199
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4319.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-4319
reference_id
reference_type
scores
0
value 0.00607
scoring_system epss
scoring_elements 0.70015
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-4319
6
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/71364
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/71364
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2d5b105d4bcb652550dda8b5613376d1b8beb70c
9
reference_url https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade
10
reference_url https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1
reference_id
reference_type
scores
url https://github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade#diff-79e8a3e6d1d2808c4f93f63b3928a5a1
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-4319.yml
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml
13
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-4319
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-4319
15
reference_url https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228155840/http://www.securityfocus.com/bid/50722
16
reference_url https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210307005941/http://www.securitytracker.com/id?1026342
17
reference_url http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released
18
reference_url http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released
19
reference_url http://www.securityfocus.com/bid/50722
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/50722
20
reference_url http://www.securitytracker.com/id?1026342
reference_id
reference_type
scores
url http://www.securitytracker.com/id?1026342
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=755004
reference_id 755004
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=755004
22
reference_url https://github.com/advisories/GHSA-xxr8-833v-c7wc
reference_id GHSA-xxr8-833v-c7wc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xxr8-833v-c7wc
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-4319, GHSA-xxr8-833v-c7wc, OSV-77199
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5pfg-7ntp-eff4
18
url VCID-5psk-hzaf-1kbz
vulnerability_id VCID-5psk-hzaf-1kbz
summary 
actionpack vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/translation_helper.rb` in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2013-1794.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-1794.html
1
reference_url http://rhn.redhat.com/errata/RHSA-2014-0008.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0008.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4491.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4491.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-4491
reference_id
reference_type
scores
0
value 0.00713
scoring_system epss
scoring_elements 0.72631
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-4491
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
10
reference_url http://seclists.org/oss-sec/2013/q4/401
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/401
11
reference_url https://github.com/advisories/GHSA-699m-mcjm-9cw8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-699m-mcjm-9cw8
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-4491.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-4491.yml
13
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-4491
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-4491
15
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
16
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
17
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036922
reference_id 1036922
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036922
19
reference_url https://access.redhat.com/errata/RHSA-2013:1794
reference_id RHSA-2013:1794
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:1794
20
reference_url https://access.redhat.com/errata/RHSA-2014:0008
reference_id RHSA-2014:0008
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0008
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-4491, GHSA-699m-mcjm-9cw8, OSV-100528
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5psk-hzaf-1kbz
19
url VCID-5t76-mwx9-8kc8
vulnerability_id VCID-5t76-mwx9-8kc8
summary 
Ability to forge per-form CSRF tokens in Rails
It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact
------

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8166.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
reference_id
reference_type
scores
0
value 0.00443
scoring_system epss
scoring_elements 0.63589
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8166
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8166.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
12
reference_url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/
url https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw
13
reference_url https://hackerone.com/reports/732415
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/
url https://hackerone.com/reports/732415
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8166
15
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T15:45:41Z/
url https://www.debian.org/security/2020/dsa-4766
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
reference_id 1843152
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843152
17
reference_url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
reference_id GHSA-jp5v-5gx4-jmj9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jp5v-5gx4-jmj9
18
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8166, GHSA-jp5v-5gx4-jmj9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5t76-mwx9-8kc8
20
url VCID-5vcg-bgpn-9fhs
vulnerability_id VCID-5vcg-bgpn-9fhs
summary 
Active Record allows bypassing of database-query restrictions
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
references
0
reference_url http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
1
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
5
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
6
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0155.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0155.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-0155
reference_id
reference_type
scores
0
value 0.18174
scoring_system epss
scoring_elements 0.95304
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-0155
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0155.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0155.yml
11
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI
12
reference_url https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/bc6f13dafe130ee9?dmode=source&output=gplain
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-0155
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-0155
14
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
15
reference_url http://www.debian.org/security/2013/dsa-2609
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2013/dsa-2609
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=892866
reference_id 892866
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=892866
17
reference_url https://github.com/advisories/GHSA-gppp-5xc5-wfpx
reference_id GHSA-gppp-5xc5-wfpx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gppp-5xc5-wfpx
18
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
19
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
20
reference_url https://access.redhat.com/errata/RHSA-2013:0155
reference_id RHSA-2013:0155
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0155
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-0155, GHSA-gppp-5xc5-wfpx, OSV-89025
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5vcg-bgpn-9fhs
21
url VCID-6k4p-91ka-juh5
vulnerability_id VCID-6k4p-91ka-juh5
summary 
Rails has possible Sensitive Session Information Leak in Active Storage
# Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.  By
default, Active Storage sends a `Set-Cookie` header along with the user's
session cookie when serving blobs.  It also sets `Cache-Control` to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected:  >= 5.2.0, < 7.1.0
Not affected:       < 5.2.0, > 7.1.0
Fixed Versions:     7.0.8.1, 6.1.7.7

Impact
------
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Credits
-------

Thanks to [tyage](https://hackerone.com/tyage) for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26144
reference_id
reference_type
scores
0
value 0.04252
scoring_system epss
scoring_elements 0.88981
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26144
2
reference_url https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
6
reference_url https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
7
reference_url https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26144
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26144
11
reference_url https://security.netapp.com/advisory/ntap-20240510-0013
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240510-0013
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119
reference_id 1065119
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2266063
reference_id 2266063
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2266063
14
reference_url https://github.com/advisories/GHSA-8h22-8cf7-hq6g
reference_id GHSA-8h22-8cf7-hq6g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8h22-8cf7-hq6g
15
reference_url https://security.netapp.com/advisory/ntap-20240510-0013/
reference_id ntap-20240510-0013
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/
url https://security.netapp.com/advisory/ntap-20240510-0013/
16
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-26144, GHSA-8h22-8cf7-hq6g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6k4p-91ka-juh5
22
url VCID-6z21-pd9d-pfgk
vulnerability_id VCID-6z21-pd9d-pfgk
summary 
Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.

Versions Affected:  rails <= 6.0.3
Not affected:       rails < 5.0.0
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters.  Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters.  Applications that use this return value may be
inadvertently use untrusted user input.

Impacted code will look something like this:

```
def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end
```

Note the mistaken use of `each` in the `clean_up_params` method in the above
example.

Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00089.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00093.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00107.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8164.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
reference_id
reference_type
scores
0
value 0.07389
scoring_system epss
scoring_elements 0.91842
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
11
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8164.yml
14
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
15
reference_url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/f6ioe4sdpbY
16
reference_url https://hackerone.com/reports/292797
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/292797
17
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
18
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8164
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
reference_id 1842634
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1842634
22
reference_url https://github.com/advisories/GHSA-8727-m6gj-mc37
reference_id GHSA-8727-m6gj-mc37
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8727-m6gj-mc37
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8164, GHSA-8727-m6gj-mc37
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6z21-pd9d-pfgk
23
url VCID-71et-13y6-eufu
vulnerability_id VCID-71et-13y6-eufu
summary 
activesupport vulnerable to Denial of Service via large XML document depth
The (1) `jdom.rb` and (2) `rexml.rb` components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
1
reference_url http://openwall.com/lists/oss-security/2015/06/16/16
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/06/16/16
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3227.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3227.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-3227
reference_id
reference_type
scores
0
value 0.02683
scoring_system epss
scoring_elements 0.86095
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-3227
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
14
reference_url https://github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
15
reference_url https://github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
16
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
17
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-3227
19
reference_url https://web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
20
reference_url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
21
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1232302
reference_id 1232302
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1232302
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790487
reference_id 790487
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790487
24
reference_url https://github.com/advisories/GHSA-j96r-xvjq-r9pg
reference_id GHSA-j96r-xvjq-r9pg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j96r-xvjq-r9pg
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.4-2?distro=trixie
purl pkg:deb/debian/rails@2:4.2.4-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.4-2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2015-3227, GHSA-j96r-xvjq-r9pg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-71et-13y6-eufu
24
url VCID-7fe5-pa3v-wfcq
vulnerability_id VCID-7fe5-pa3v-wfcq
summary 
actionmailer email address processing causes Denial of service
Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4389.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4389.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-4389
reference_id
reference_type
scores
0
value 0.01333
scoring_system epss
scoring_elements 0.80273
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-4389
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
10
reference_url http://seclists.org/oss-sec/2013/q4/118
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/118
11
reference_url https://github.com/advisories/GHSA-rg5m-3fqp-6px8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-rg5m-3fqp-6px8
12
reference_url https://github.com/rails/rails/tree/main/actionmailer
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/tree/main/actionmailer
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2013-4389.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2013-4389.yml
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-4389
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-4389
15
reference_url https://web.archive.org/web/20201208175929/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201208175929/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ
16
reference_url http://www.debian.org/security/2014/dsa-2887
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2887
17
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1013913
reference_id 1013913
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1013913
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-4389, GHSA-rg5m-3fqp-6px8, OSV-98629
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7fe5-pa3v-wfcq
25
url VCID-7g2f-y978-hqgr
vulnerability_id VCID-7g2f-y978-hqgr
summary 
Moderate severity vulnerability that affects rails
Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
references
0
reference_url http://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails
1
reference_url http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
2
reference_url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
3
reference_url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
4
reference_url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
5
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-4214.json
6
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-4214
reference_id
reference_type
scores
0
value 0.01632
scoring_system epss
scoring_elements 0.8221
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-4214
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
8
reference_url http://secunia.com/advisories/37446
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/37446
9
reference_url http://secunia.com/advisories/38915
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/38915
10
reference_url https://github.com/advisories/GHSA-9p3v-wf2w-v29c
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-9p3v-wf2w-v29c
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-4214.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-4214
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-4214
13
reference_url http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT4077
14
reference_url http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
15
reference_url http://www.debian.org/security/2011/dsa-2260
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2260
16
reference_url http://www.debian.org/security/2011/dsa-2301
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2301
17
reference_url http://www.openwall.com/lists/oss-security/2009/11/27/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/11/27/2
18
reference_url http://www.openwall.com/lists/oss-security/2009/12/08/3
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/12/08/3
19
reference_url http://www.securityfocus.com/bid/37142
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/37142
20
reference_url http://www.securitytracker.com/id?1023245
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securitytracker.com/id?1023245
21
reference_url http://www.vupen.com/english/advisories/2009/3352
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2009/3352
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=542786
reference_id 542786
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=542786
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
reference_id 558685
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
24
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.2.3-2?distro=trixie
purl pkg:deb/debian/rails@2.2.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.2.3-2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2009-4214, GHSA-9p3v-wf2w-v29c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7g2f-y978-hqgr
26
url VCID-832g-x9kb-3bbx
vulnerability_id VCID-832g-x9kb-3bbx
summary 
actionview contains Path Traversal vulnerability
There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all possible scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097.

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2

Impact
------
Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method.

For example, change this:

```ruby
def index
  render params[:id]
end
```

To this:

```ruby
def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset.

* 3-2-render_data_leak_2.patch - Patch for 3.2 series
* 4-1-render_data_leak_2.patch - Patch for 4.1 series

Credits
-------
Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch!
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2097.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-2097
reference_id
reference_type
scores
0
value 0.01912
scoring_system epss
scoring_elements 0.83603
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-2097
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:P/A:P
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2097.yml
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2016-2097.yml
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
13
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/ddY6HgqB2z4
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-2097
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-2097
15
reference_url https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160322002234/http://www.securitytracker.com/id/1035122
16
reference_url https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228015320/http://www.securityfocus.com/bid/83726
17
reference_url https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201221115217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
18
reference_url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
19
reference_url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
20
reference_url http://www.debian.org/security/2016/dsa-3509
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3509
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1310043
reference_id 1310043
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1310043
22
reference_url https://github.com/advisories/GHSA-vx9j-46rh-fqr8
reference_id GHSA-vx9j-46rh-fqr8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vx9j-46rh-fqr8
23
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
24
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
25
reference_url https://access.redhat.com/errata/RHSA-2016:0456
reference_id RHSA-2016:0456
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0456
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.2-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.2-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.2-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-2097, GHSA-vx9j-46rh-fqr8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-832g-x9kb-3bbx
27
url VCID-8bvv-wkyv-1fdp
vulnerability_id VCID-8bvv-wkyv-1fdp
summary 
activemodel contains Improper Input Validation
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
4
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html
5
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
6
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
7
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
8
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0753.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0753.json
9
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-0753
reference_id
reference_type
scores
0
value 0.02328
scoring_system epss
scoring_elements 0.8508
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-0753
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
17
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
18
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:P/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
19
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activemodel/CVE-2016-0753.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activemodel/CVE-2016-0753.yml
21
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
22
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-0753
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-0753
23
reference_url https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816
24
reference_url https://web.archive.org/web/20200228000230/http://www.securityfocus.com/bid/82247
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228000230/http://www.securityfocus.com/bid/82247
25
reference_url https://web.archive.org/web/20210613054843/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210613054843/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ
26
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
27
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/14
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/01/25/14
28
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301973
reference_id 1301973
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301973
29
reference_url https://github.com/advisories/GHSA-543v-gj2c-r3ch
reference_id GHSA-543v-gj2c-r3ch
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-543v-gj2c-r3ch
30
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-0753, GHSA-543v-gj2c-r3ch
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8bvv-wkyv-1fdp
28
url VCID-8umt-dz29-p3ck
vulnerability_id VCID-8umt-dz29-p3ck
summary 
Active Record vulnerable to SQL Injection via nested query parameters
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2661.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-2661.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-2661
reference_id
reference_type
scores
0
value 0.00627
scoring_system epss
scoring_elements 0.70556
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-2661
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661
7
reference_url https://github.com/rails/rails/commit/71f7917c553cdc9a0ee49e87af0efb7429759718#diff-2ec9993375ecb711e08452788d625581
reference_id
reference_type
scores
url https://github.com/rails/rails/commit/71f7917c553cdc9a0ee49e87af0efb7429759718#diff-2ec9993375ecb711e08452788d625581
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82403.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/OSVDB-82403.yml
9
reference_url https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/fc2da6c627fc92df?dmode=source&output=gplain
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-2661
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-2661
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=827363
reference_id 827363
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=827363
12
reference_url https://github.com/advisories/GHSA-fh39-v733-mxfr
reference_id GHSA-fh39-v733-mxfr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh39-v733-mxfr
13
reference_url https://access.redhat.com/errata/RHSA-2012:1542
reference_id RHSA-2012:1542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2012:1542
14
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-2661, GHSA-fh39-v733-mxfr, OSV-82403
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8umt-dz29-p3ck
29
url VCID-8uqv-cr1v-fbbm
vulnerability_id VCID-8uqv-cr1v-fbbm
summary 
Active Record contains deserialization of arbitrary YAML
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
references
0
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0277.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0277.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-0277
reference_id
reference_type
scores
0
value 0.06742
scoring_system epss
scoring_elements 0.91424
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-0277
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277
5
reference_url http://securitytracker.com/id?1028109
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://securitytracker.com/id?1028109
6
reference_url https://github.com/rails/rails/tree/v6.1.4.1/activerecord
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/tree/v6.1.4.1/activerecord
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0277.yml
8
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU
9
reference_url https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/302ec7ce90f13837?dmode=source&output=gplain
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-0277
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-0277
11
reference_url https://puppet.com/security/cve/cve-2013-0277
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-0277
12
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
13
reference_url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
14
reference_url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
15
reference_url http://www.debian.org/security/2013/dsa-2620
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2013/dsa-2620
16
reference_url http://www.openwall.com/lists/oss-security/2013/02/11/6
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2013/02/11/6
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=909633
reference_id 909633
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=909633
18
reference_url https://github.com/advisories/GHSA-fhj9-cjjh-27vm
reference_id GHSA-fhj9-cjjh-27vm
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fhj9-cjjh-27vm
19
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-0277, GHSA-fhj9-cjjh-27vm, OSV-90073
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8uqv-cr1v-fbbm
30
url VCID-98gu-r7wd-cuah
vulnerability_id VCID-98gu-r7wd-cuah
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact

Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
    7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
reference_id
reference_type
scores
0
value 0.02326
scoring_system epss
scoring_elements 0.85075
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22792
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22792
18
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
19
reference_url https://security.netapp.com/advisory/ntap-20240202-0007
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0007
20
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://www.debian.org/security/2023/dsa-5372
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id 2164800
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164800
23
reference_url https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id GHSA-p84v-45xj-wwqj
reference_type
scores
url https://github.com/advisories/GHSA-p84v-45xj-wwqj
24
reference_url https://security.netapp.com/advisory/ntap-20240202-0007/
reference_id ntap-20240202-0007
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/
url https://security.netapp.com/advisory/ntap-20240202-0007/
25
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-98gu-r7wd-cuah
31
url VCID-9gqn-8g4t-wfby
vulnerability_id VCID-9gqn-8g4t-wfby
summary 
actionpack Cross-site Scripting vulnerability
The `sanitize_css` method in `lib/action_controller/vendor/html-scanner/html/sanitizer.rb` in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle `\n` (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2013-0698.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0698.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
5
reference_url https://access.redhat.com/errata/RHSA-2013:0698
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2013:0698
6
reference_url https://access.redhat.com/errata/RHSA-2014:1863
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2014:1863
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1855.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1855.json
8
reference_url https://access.redhat.com/security/cve/CVE-2013-1855
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2013-1855
9
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1855
reference_id
reference_type
scores
0
value 0.00536
scoring_system epss
scoring_elements 0.67744
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1855
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=921331
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=921331
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-1855.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-1855.yml
13
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8
14
reference_url https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/8ed835a97cdd1afd?dmode=source&output=gplain
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1855
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1855
16
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
17
reference_url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
18
reference_url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
19
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
20
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
21
reference_url https://github.com/advisories/GHSA-q759-hwvc-m3jg
reference_id GHSA-q759-hwvc-m3jg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q759-hwvc-m3jg
22
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-1855, GHSA-q759-hwvc-m3jg, OSV-91452
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9gqn-8g4t-wfby
32
url VCID-a5js-1u9t-bfan
vulnerability_id VCID-a5js-1u9t-bfan
summary 
Active Record subject to strong parameters protection bypass
`activerecord/lib/active_record/relation/query_methods.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote attackers to bypass the strong parameters protection mechanism via crafted input to an application that makes `create_with` calls.
references
0
reference_url http://openwall.com/lists/oss-security/2014/08/18/10
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/08/18/10
1
reference_url http://rhn.redhat.com/errata/RHSA-2014-1102.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1102.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3514.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3514.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-3514
reference_id
reference_type
scores
0
value 0.00331
scoring_system epss
scoring_elements 0.56253
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-3514
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3514
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3514
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3514.yml
6
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
7
reference_url https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
8
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/M4chq5Sb540
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/M4chq5Sb540
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-3514
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-3514
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1131240
reference_id 1131240
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1131240
11
reference_url https://github.com/advisories/GHSA-9rf5-jm6f-2fmm
reference_id GHSA-9rf5-jm6f-2fmm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9rf5-jm6f-2fmm
12
reference_url https://access.redhat.com/errata/RHSA-2014:1102
reference_id RHSA-2014:1102
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:1102
fixed_packages
0
url pkg:deb/debian/rails@2:4.1.5-1?distro=trixie
purl pkg:deb/debian/rails@2:4.1.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-3514, GHSA-9rf5-jm6f-2fmm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a5js-1u9t-bfan
33
url VCID-a6wp-n5yh-ybcv
vulnerability_id VCID-a6wp-n5yh-ybcv
summary 
Improper Input Validation in actionpack
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
2
reference_url http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
3
reference_url http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
reference_id
reference_type
scores
url http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-7248.json
5
reference_url https://access.redhat.com/security/cve/CVE-2008-7248
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2008-7248
6
reference_url https://api.first.org/data/v1/epss?cve=CVE-2008-7248
reference_id
reference_type
scores
0
value 0.11409
scoring_system epss
scoring_elements 0.93687
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2008-7248
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=544329
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=544329
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
9
reference_url http://secunia.com/advisories/36600
reference_id
reference_type
scores
url http://secunia.com/advisories/36600
10
reference_url http://secunia.com/advisories/38915
reference_id
reference_type
scores
url http://secunia.com/advisories/38915
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
14
reference_url https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
15
reference_url https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2008-7248
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2008-7248
17
reference_url https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
18
reference_url https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
reference_id
reference_type
scores
url https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
19
reference_url https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
20
reference_url https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
21
reference_url https://www.openwall.com/lists/oss-security/2009/11/28/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.openwall.com/lists/oss-security/2009/11/28/1
22
reference_url https://www.openwall.com/lists/oss-security/2009/12/02/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.openwall.com/lists/oss-security/2009/12/02/2
23
reference_url https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
24
reference_url http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
25
reference_url http://www.openwall.com/lists/oss-security/2009/11/28/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/11/28/1
26
reference_url http://www.openwall.com/lists/oss-security/2009/12/02/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2009/12/02/2
27
reference_url http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
reference_id
reference_type
scores
url http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
28
reference_url http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2009/2544
29
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
reference_id 558685
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685
30
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt
reference_id CVE-2008-7248;OSVDB-61124
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/33402.txt
31
reference_url https://www.securityfocus.com/bid/37322/info
reference_id CVE-2008-7248;OSVDB-61124
reference_type exploit
scores
url https://www.securityfocus.com/bid/37322/info
32
reference_url https://github.com/advisories/GHSA-8fqx-7pv4-3jwm
reference_id GHSA-8fqx-7pv4-3jwm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8fqx-7pv4-3jwm
33
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.2.3-1?distro=trixie
purl pkg:deb/debian/rails@2.2.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.2.3-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2008-7248, GHSA-8fqx-7pv4-3jwm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6wp-n5yh-ybcv
34
url VCID-a97j-j4a4-7bg1
vulnerability_id VCID-a97j-j4a4-7bg1
summary 
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/1c2e01a5e42722c9?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075675.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1098.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-1098.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-1098
reference_id
reference_type
scores
0
value 0.00377
scoring_system epss
scoring_elements 0.59564
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-1098
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=799275
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=799275
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
6
reference_url https://github.com/rails/rails/commit/c60c1c0812d5eb55e7024db350f8bc5b6729f7fe#diff-6156f8cec254c1236b4a4eceb04df3d9
reference_id
reference_type
scores
url https://github.com/rails/rails/commit/c60c1c0812d5eb55e7024db350f8bc5b6729f7fe#diff-6156f8cec254c1236b4a4eceb04df3d9
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/OSVDB-79726.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/OSVDB-79726.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-1098
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-1098
9
reference_url http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
10
reference_url http://www.openwall.com/lists/oss-security/2012/03/02/6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2012/03/02/6
11
reference_url http://www.openwall.com/lists/oss-security/2012/03/03/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2012/03/03/1
12
reference_url https://github.com/advisories/GHSA-qv8p-v9qw-wc7g
reference_id GHSA-qv8p-v9qw-wc7g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qv8p-v9qw-wc7g
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-1098, GHSA-qv8p-v9qw-wc7g, OSV-79726
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a97j-j4a4-7bg1
35
url VCID-amxp-1d77-h7hc
vulnerability_id VCID-amxp-1d77-h7hc
summary 
ActionText ContentAttachment can Contain Unsanitized HTML
Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML.

This has been assigned the CVE identifier CVE-2024-32464.


Versions Affected:  >= 7.1.0
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.4

Impact
------
This could lead to a potential cross site scripting issue within the Trix editor.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
N/A

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset.

* action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series



Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-32464
reference_id
reference_type
scores
0
value 0.0028
scoring_system epss
scoring_elements 0.51597
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-32464
1
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
2
reference_url https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-31T19:54:13Z/
url https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995
3
reference_url https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-31T19:54:13Z/
url https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-32464.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-32464.yml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32464
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-32464
6
reference_url https://github.com/advisories/GHSA-prjp-h48f-jgf6
reference_id GHSA-prjp-h48f-jgf6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-prjp-h48f-jgf6
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-32464, GHSA-prjp-h48f-jgf6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amxp-1d77-h7hc
36
url VCID-b2vm-7rth-mqhj
vulnerability_id VCID-b2vm-7rth-mqhj
summary 
Active Record Improper Input Validation
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
references
0
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
1
reference_url http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00070.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00071.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00075.html
5
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00078.html
6
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00079.html
7
reference_url http://rhn.redhat.com/errata/RHSA-2013-0699.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0699.html
8
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
9
reference_url https://access.redhat.com/errata/RHSA-2013:0699
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2013:0699
10
reference_url https://access.redhat.com/errata/RHSA-2014:1863
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2014:1863
11
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1854.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1854.json
12
reference_url https://access.redhat.com/security/cve/CVE-2013-1854
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2013-1854
13
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1854
reference_id
reference_type
scores
0
value 0.01795
scoring_system epss
scoring_elements 0.83075
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1854
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=921329
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=921329
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-1854.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-1854.yml
17
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/jgJ4cjjS8FE
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/jgJ4cjjS8FE
18
reference_url https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1854
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1854
20
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
21
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
22
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
23
reference_url https://github.com/advisories/GHSA-3crr-9vmg-864v
reference_id GHSA-3crr-9vmg-864v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3crr-9vmg-864v
24
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-1854, GHSA-3crr-9vmg-864v, OSV-91453
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b2vm-7rth-mqhj
37
url VCID-b4sv-b9pz-r7er
vulnerability_id VCID-b4sv-b9pz-r7er
summary 
actionview Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2016-1855.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-1855.html
1
reference_url http://rhn.redhat.com/errata/RHSA-2016-1856.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-1856.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2016-1857.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-1857.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2016-1858.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-1858.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6316.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6316.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-6316
reference_id
reference_type
scores
0
value 0.01626
scoring_system epss
scoring_elements 0.82169
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-6316
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6316
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6316
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:P/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-6316.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-6316.yml
9
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
10
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-6316
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-6316
12
reference_url https://web.archive.org/web/20200227202008/http://www.securityfocus.com/bid/92430
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200227202008/http://www.securityfocus.com/bid/92430
13
reference_url https://web.archive.org/web/20200812154343/https://puppet.com/security/cve/cve-2016-6316
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200812154343/https://puppet.com/security/cve/cve-2016-6316
14
reference_url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released
15
reference_url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
16
reference_url http://www.debian.org/security/2016/dsa-3651
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3651
17
reference_url http://www.openwall.com/lists/oss-security/2016/08/11/3
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/08/11/3
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1365008
reference_id 1365008
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1365008
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834155
reference_id 834155
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834155
20
reference_url https://github.com/advisories/GHSA-pc3m-v286-2jwj
reference_id GHSA-pc3m-v286-2jwj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pc3m-v286-2jwj
21
reference_url https://access.redhat.com/errata/RHSA-2016:1855
reference_id RHSA-2016:1855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:1855
22
reference_url https://access.redhat.com/errata/RHSA-2016:1856
reference_id RHSA-2016:1856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:1856
23
reference_url https://access.redhat.com/errata/RHSA-2016:1857
reference_id RHSA-2016:1857
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:1857
24
reference_url https://access.redhat.com/errata/RHSA-2016:1858
reference_id RHSA-2016:1858
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:1858
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.7.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.7.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.7.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-6316, GHSA-pc3m-v286-2jwj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b4sv-b9pz-r7er
38
url VCID-b5he-f8nq-9yda
vulnerability_id VCID-b5he-f8nq-9yda
summary 
ReDoS based DoS vulnerability in Active Support's underscore
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
    7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
reference_id
reference_type
scores
0
value 0.01525
scoring_system epss
scoring_elements 0.81578
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22796
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8
16
reference_url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
17
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
18
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
19
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22796
21
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
reference_id 2164736
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164736
24
reference_url https://github.com/advisories/GHSA-j6gc-792m-qgm2
reference_id GHSA-j6gc-792m-qgm2
reference_type
scores
url https://github.com/advisories/GHSA-j6gc-792m-qgm2
25
reference_url https://security.netapp.com/advisory/ntap-20240202-0009/
reference_id ntap-20240202-0009
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/
url https://security.netapp.com/advisory/ntap-20240202-0009/
26
reference_url https://access.redhat.com/errata/RHSA-2023:4341
reference_id RHSA-2023:4341
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4341
27
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b5he-f8nq-9yda
39
url VCID-b7z5-h1bw-tya9
vulnerability_id VCID-b7z5-h1bw-tya9
summary 
Missing security headers in Action Pack on non-HTML responses
# Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.


Versions Affected:  >= 6.1.0
Not affected:       < 6.1.0
Fixed Versions:     6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact
------
Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
N/A

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our 
[maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues)
regarding security issues. They are in git-am format and consist of a
single changeset.

* 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
* 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
* 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series



Credits
-------

Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28103
reference_id
reference_type
scores
0
value 0.00832
scoring_system epss
scoring_elements 0.74889
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28103
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/
url https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/
url https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28103
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28103
8
reference_url https://security.netapp.com/advisory/ntap-20241206-0002
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241206-0002
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705
reference_id 1072705
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2290530
reference_id 2290530
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2290530
11
reference_url https://github.com/advisories/GHSA-fwhr-88qx-h9g7
reference_id GHSA-fwhr-88qx-h9g7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fwhr-88qx-h9g7
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-28103, GHSA-fwhr-88qx-h9g7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b7z5-h1bw-tya9
40
url VCID-baur-f442-wqgw
vulnerability_id VCID-baur-f442-wqgw
summary 
actionpack CRLF injection vulnerability
CRLF injection vulnerability in `actionpack/lib/action_controller/response.rb` in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78c?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78c?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-3186
reference_id
reference_type
scores
0
value 0.00814
scoring_system epss
scoring_elements 0.7458
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-3186
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=732156
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=732156
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9
7
reference_url https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9#diff-62558f372a46058cbab9309494d0fbb1
reference_id
reference_type
scores
url https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9#diff-62558f372a46058cbab9309494d0fbb1
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3186.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3186.yml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-74616.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-74616.yml
10
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-3186
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-3186
12
reference_url https://web.archive.org/web/20150201000000*/http://secunia.com/advisories/45921
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20150201000000*/http://secunia.com/advisories/45921
13
reference_url http://www.debian.org/security/2011/dsa-2301
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2301
14
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
17
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
18
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
19
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
20
reference_url https://github.com/advisories/GHSA-fcqf-h4h4-695m
reference_id GHSA-fcqf-h4h4-695m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fcqf-h4h4-695m
21
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-3186, GHSA-fcqf-h4h4-695m, OSV-74616
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-baur-f442-wqgw
41
url VCID-be5x-uyc6-sudm
vulnerability_id VCID-be5x-uyc6-sudm
summary rubygem-actionpack: information leak between requests
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
reference_id
reference_type
scores
0
value 0.00187
scoring_system epss
scoring_elements 0.40348
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23633
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
16
reference_url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
17
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
18
reference_url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements
1
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
19
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23633
21
reference_url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
22
reference_url https://security.netapp.com/advisory/ntap-20240119-0013
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240119-0013
23
reference_url https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240119-0013/
24
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
25
reference_url http://www.openwall.com/lists/oss-security/2022/02/11/5
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/02/11/5
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id 1005389
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
27
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id 2063149
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2063149
28
reference_url https://access.redhat.com/errata/RHSA-2022:5498
reference_id RHSA-2022:5498
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5498
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.4.6%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.4.6%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.4.6%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-23633, GHSA-wh98-p28r-vrc9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-be5x-uyc6-sudm
42
url VCID-bepd-668e-13h8
vulnerability_id VCID-bepd-668e-13h8
summary 
Use of Insufficiently Random Values in Railties Allows Remote Code Execution
# Possible Remote Code Execution Exploit in Rails Development Mode

Impact 
------ 
With some knowledge of a target application it is possible for an attacker to  guess the automatically generated development mode secret token.  This secret  token can be used in combination with other Rails internals to escalate to a remote code execution exploit. 

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations. 

Workarounds 
----------- 
This issue can be mitigated by specifying a secret key in development mode. 
In "config/environments/development.rb" add this: 

```
  config.secret_key_base = SecureRandom.hex(64) 
```

Please note that only the 5.2.x, 5.1.x, 5.0.x, and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. 

Credits 
------- 
Thanks to ooooooo_q
references
0
reference_url http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5420.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5420.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5420
reference_id
reference_type
scores
0
value 0.93745
scoring_system epss
scoring_elements 0.9986
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5420
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/railties/CVE-2019-5420.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5420
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5420
10
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
11
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
12
reference_url https://www.exploit-db.com/exploits/46785
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/46785
13
reference_url https://www.exploit-db.com/exploits/46785/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/46785/
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689154
reference_id 1689154
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689154
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924521
reference_id 924521
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924521
16
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/46785.rb
reference_id CVE-2019-5420
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/46785.rb
17
reference_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/rails_double_tap.rb
reference_id CVE-2019-5420
reference_type exploit
scores
url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/rails_double_tap.rb
18
reference_url https://github.com/advisories/GHSA-m42h-mh85-4qgc
reference_id GHSA-m42h-mh85-4qgc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m42h-mh85-4qgc
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2019-5420, GHSA-m42h-mh85-4qgc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bepd-668e-13h8
43
url VCID-bfbp-7umh-2fcp
vulnerability_id VCID-bfbp-7umh-2fcp
summary 
actionpack and activesupport vulnerable to information leaks
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-3086
reference_id
reference_type
scores
0
value 0.00556
scoring_system epss
scoring_elements 0.68454
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-3086
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
3
reference_url http://secunia.com/advisories/36600
reference_id
reference_type
scores
url http://secunia.com/advisories/36600
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0
6
reference_url https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
7
reference_url https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3086.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-3086
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-3086
11
reference_url https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544
12
reference_url https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600
13
reference_url https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427
14
reference_url http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
15
reference_url http://www.debian.org/security/2011/dsa-2260
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2260
16
reference_url http://www.securityfocus.com/bid/37427
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/37427
17
reference_url http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2009/2544
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id 545063
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
19
reference_url https://github.com/advisories/GHSA-fg9w-g6m4-557j
reference_id GHSA-fg9w-g6m4-557j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fg9w-g6m4-557j
20
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.2.3-1?distro=trixie
purl pkg:deb/debian/rails@2.2.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.2.3-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2009-3086, GHSA-fg9w-g6m4-557j
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bfbp-7umh-2fcp
44
url VCID-brwd-e9kx-xuc2
vulnerability_id VCID-brwd-e9kx-xuc2
summary 
actionpack allows remote code execution via application's unrestricted use of render method
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00057.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00080.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00083.html
3
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00086.html
4
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00006.html
5
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2098.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2098.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-2098
reference_id
reference_type
scores
0
value 0.84091
scoring_system epss
scoring_elements 0.99319
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-2098
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098
10
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-2098.yml
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3
scoring_elements
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
13
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/ly-IH-fxr_Q
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/ly-IH-fxr_Q
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-2098
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-2098
15
reference_url https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228015318/http://www.securityfocus.com/bid/83725
16
reference_url https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210612214217/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
17
reference_url https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20211205173437/https://securitytracker.com/id/1035122
18
reference_url https://www.exploit-db.com/exploits/40086
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/40086
19
reference_url https://www.exploit-db.com/exploits/40086/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/40086/
20
reference_url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released
21
reference_url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
22
reference_url http://www.debian.org/security/2016/dsa-3509
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3509
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1310054
reference_id 1310054
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1310054
24
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/remote/40086.rb
reference_id CVE-2016-2098
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/remote/40086.rb
25
reference_url https://github.com/advisories/GHSA-78rc-8c29-p45g
reference_id GHSA-78rc-8c29-p45g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-78rc-8c29-p45g
26
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
27
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
28
reference_url https://access.redhat.com/errata/RHSA-2016:0456
reference_id RHSA-2016:0456
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0456
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.2-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.2-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.2-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-2098, GHSA-78rc-8c29-p45g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-brwd-e9kx-xuc2
45
url VCID-cbdn-yhbu-5uaj
vulnerability_id VCID-cbdn-yhbu-5uaj
summary 
ActiveRecord in Ruby on Rails allows database-query bypass
Active Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2016-1855.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-1855.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6317.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6317.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-6317
reference_id
reference_type
scores
0
value 0.00381
scoring_system epss
scoring_elements 0.59771
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-6317
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6317
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6317
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2016-6317.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2016-6317.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
7
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-6317
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-6317
9
reference_url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released
10
reference_url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
11
reference_url http://www.openwall.com/lists/oss-security/2016/08/11/4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/08/11/4
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1365017
reference_id 1365017
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1365017
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834154
reference_id 834154
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834154
14
reference_url https://github.com/advisories/GHSA-pr3r-4wrp-r2pv
reference_id GHSA-pr3r-4wrp-r2pv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pr3r-4wrp-r2pv
15
reference_url https://access.redhat.com/errata/RHSA-2016:1855
reference_id RHSA-2016:1855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:1855
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.7.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.7.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.7.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-6317, GHSA-pr3r-4wrp-r2pv
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cbdn-yhbu-5uaj
46
url VCID-cs1f-uhb2-xkcm
vulnerability_id VCID-cs1f-uhb2-xkcm
summary 
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the simple_format helper in `actionpack/lib/action_view/helpers/text_helper.rb` in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6416.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6416.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-6416
reference_id
reference_type
scores
0
value 0.00236
scoring_system epss
scoring_elements 0.46624
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-6416
2
reference_url http://seclists.org/oss-sec/2013/q4/404
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/404
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6416.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6416.yml
6
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ
7
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-6416
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-6416
9
reference_url https://web.archive.org/web/20200228165109/http://www.securityfocus.com/bid/64071
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228165109/http://www.securityfocus.com/bid/64071
10
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
11
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036914
reference_id 1036914
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036914
13
reference_url https://github.com/advisories/GHSA-w37c-q653-qg95
reference_id GHSA-w37c-q653-qg95
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w37c-q653-qg95
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-6416, GHSA-w37c-q653-qg95, OSV-100526
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cs1f-uhb2-xkcm
47
url VCID-dd87-gevs-juhe
vulnerability_id VCID-dd87-gevs-juhe
summary 
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact
------

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------

Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41128.json
1
reference_url https://access.redhat.com/security/cve/cve-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://access.redhat.com/security/cve/cve-2024-41128
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
reference_id
reference_type
scores
0
value 0.00774
scoring_system epss
scoring_elements 0.73902
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41128
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://bugzilla.redhat.com/show_bug.cgi?id=2319036
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41128
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
8
reference_url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
9
reference_url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
10
reference_url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/
url https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41128
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
15
reference_url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
reference_id GHSA-x76w-6vjr-8xgj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x76w-6vjr-8xgj
16
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-41128, GHSA-x76w-6vjr-8xgj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dd87-gevs-juhe
48
url VCID-dp3h-z1zs-ufba
vulnerability_id VCID-dp3h-z1zs-ufba
summary activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32224.json
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32224.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-32224
reference_id
reference_type
scores
0
value 0.01897
scoring_system epss
scoring_elements 0.83531
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-32224
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224
3
reference_url https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-24T15:17:17Z/
url https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
6
reference_url https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a
7
reference_url https://github.com/rails/rails/commits/main/activerecord
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commits/main/activerecord
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-32224.yml
9
reference_url https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-24T15:17:17Z/
url https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
10
reference_url https://lists.debian.org/debian-lts-announce/2026/05/msg00022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2026/05/msg00022.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-32224
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-32224
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140
reference_id 1016140
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2108997
reference_id 2108997
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2108997
14
reference_url https://security.gentoo.org/glsa/202408-24
reference_id GLSA-202408-24
reference_type
scores
url https://security.gentoo.org/glsa/202408-24
15
reference_url https://access.redhat.com/errata/RHSA-2023:0261
reference_id RHSA-2023:0261
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0261
16
reference_url https://access.redhat.com/errata/RHSA-2023:1151
reference_id RHSA-2023:1151
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1151
17
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u5?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u5?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u5%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.6.1%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-32224, GHSA-3hhc-qp5v-9p2j
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dp3h-z1zs-ufba
49
url VCID-e4wh-thvg-5kdk
vulnerability_id VCID-e4wh-thvg-5kdk
summary 
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.r`b in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/f1d2749773db9f21?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2932
reference_id
reference_type
scores
0
value 0.00813
scoring_system epss
scoring_elements 0.7456
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2932
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=731435
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=731435
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932
7
reference_url http://secunia.com/advisories/45917
reference_id
reference_type
scores
url http://secunia.com/advisories/45917
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2932.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2932.yml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2932
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2932
12
reference_url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
13
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
14
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
17
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
18
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
19
reference_url https://github.com/advisories/GHSA-9fh3-vh3h-q4g3
reference_id GHSA-9fh3-vh3h-q4g3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9fh3-vh3h-q4g3
20
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-2932, GHSA-9fh3-vh3h-q4g3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e4wh-thvg-5kdk
50
url VCID-eeru-6pyc-8bcd
vulnerability_id VCID-eeru-6pyc-8bcd
summary 
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact
------

For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.


Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47887.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
reference_id
reference_type
scores
0
value 0.00333
scoring_system epss
scoring_elements 0.56344
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47887
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47887
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-47887.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
reference_id 2319034
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319034
9
reference_url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
reference_id 56b2fc3302836405b496e196a8d5fc0195e55049
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
10
reference_url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
reference_id 7c1398854d51f9bb193fb79f226647351133d08a
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
11
reference_url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_id 8e057db25bff1dc7a98e9ae72e0083825b9ac545
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
12
reference_url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_id f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:34:50Z/
url https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2
13
reference_url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
reference_id GHSA-vfg9-r3fq-jvx4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47887, GHSA-vfg9-r3fq-jvx4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eeru-6pyc-8bcd
51
url VCID-ejgq-s79w-abd6
vulnerability_id VCID-ejgq-s79w-abd6
summary 
rails Cross-site Scripting vulnerability
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/663b600d4471e0d4?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html
3
reference_url http://openwall.com/lists/oss-security/2011/06/09/2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2011/06/09/2
4
reference_url http://openwall.com/lists/oss-security/2011/06/13/9
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2011/06/13/9
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2197
reference_id
reference_type
scores
0
value 0.00442
scoring_system epss
scoring_elements 0.63551
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2197
6
reference_url http://secunia.com/advisories/44789
reference_id
reference_type
scores
url http://secunia.com/advisories/44789
7
reference_url https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd
10
reference_url https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2011-2197.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2197
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2197
13
reference_url http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
14
reference_url https://github.com/advisories/GHSA-v9v4-7jp6-8c73
reference_id GHSA-v9v4-7jp6-8c73
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v9v4-7jp6-8c73
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-2197, GHSA-v9v4-7jp6-8c73
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ejgq-s79w-abd6
52
url VCID-enf4-jrzh-nyac
vulnerability_id VCID-enf4-jrzh-nyac
summary 
Active Record subject to Regular Expression Denial-of-Service (ReDoS)
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22880
reference_id
reference_type
scores
0
value 0.02599
scoring_system epss
scoring_elements 0.85857
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22880
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml
9
reference_url https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
10
reference_url https://hackerone.com/reports/1023899
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1023899
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22880
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22880
14
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
15
reference_url https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4929
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1930102
reference_id 1930102
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1930102
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.5%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.5%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.5%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22880, GHSA-8hc4-xxm3-5ppp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-enf4-jrzh-nyac
53
url VCID-er3j-4ygz-kqdx
vulnerability_id VCID-er3j-4ygz-kqdx
summary 
activerecord vulnerable to SQL Injection
Multiple SQL injection vulnerabilities in the `quote_table_name` method in the ActiveRecord adapters in `activerecord/lib/active_record/connection_adapters/` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/b1a85d36b0f9dd30?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2930
reference_id
reference_type
scores
0
value 0.00955
scoring_system epss
scoring_elements 0.76726
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2930
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=731438
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=731438
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2930
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2930
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-2930.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-2930.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2930
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2930
9
reference_url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
10
reference_url http://www.debian.org/security/2011/dsa-2301
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2301
11
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
12
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
13
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
14
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
17
reference_url https://github.com/advisories/GHSA-h6w6-xmqv-7q78
reference_id GHSA-h6w6-xmqv-7q78
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h6w6-xmqv-7q78
18
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-2930, GHSA-h6w6-xmqv-7q78
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-er3j-4ygz-kqdx
54
url VCID-euc6-6yb8-hkej
vulnerability_id VCID-euc6-6yb8-hkej
summary Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
references
0
reference_url http://bugs.gentoo.org/show_bug.cgi?id=195315
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://bugs.gentoo.org/show_bug.cgi?id=195315
1
reference_url http://docs.info.apple.com/article.html?artnum=307179
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://docs.info.apple.com/article.html?artnum=307179
2
reference_url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2007-5380
reference_id
reference_type
scores
0
value 0.05845
scoring_system epss
scoring_elements 0.90684
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2007-5380
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
5
reference_url http://secunia.com/advisories/27657
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/27657
6
reference_url http://secunia.com/advisories/27965
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/27965
7
reference_url http://secunia.com/advisories/28136
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/28136
8
reference_url http://security.gentoo.org/glsa/glsa-200711-17.xml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://security.gentoo.org/glsa/glsa-200711-17.xml
9
reference_url https://github.com/advisories/GHSA-jwhv-rgqc-fqj5
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-jwhv-rgqc-fqj5
10
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-5380.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2007-5380
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2007-5380
13
reference_url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
14
reference_url http://www.novell.com/linux/security/advisories/2007_25_sr.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2007_25_sr.html
15
reference_url http://www.securityfocus.com/bid/26096
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/26096
16
reference_url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
17
reference_url http://www.vupen.com/english/advisories/2007/3508
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/3508
18
reference_url http://www.vupen.com/english/advisories/2007/4238
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/4238
19
reference_url https://security.gentoo.org/glsa/200711-17
reference_id GLSA-200711-17
reference_type
scores
url https://security.gentoo.org/glsa/200711-17
20
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@1.2.5-1?distro=trixie
purl pkg:deb/debian/rails@1.2.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.2.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2007-5380, GHSA-jwhv-rgqc-fqj5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-euc6-6yb8-hkej
55
url VCID-fdqs-v9b2-53gu
vulnerability_id VCID-fdqs-v9b2-53gu
summary 
actionpack Open Redirect in Host Authorization Middleware
Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

```
config.hosts <<  '.EXAMPLE.com'
```

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases
--------
The fixed releases are available at the normal locations.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
* 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
* 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44528.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-44528
reference_id
reference_type
scores
0
value 0.28611
scoring_system epss
scoring_elements 0.96613
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-44528
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
13
reference_url https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
14
reference_url https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
15
reference_url https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
17
reference_url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
18
reference_url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-44528
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-44528
20
reference_url https://security.netapp.com/advisory/ntap-20240208-0003
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240208-0003
21
reference_url https://security.netapp.com/advisory/ntap-20240208-0003/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240208-0003/
22
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
reference_id 1001817
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001817
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2034266
reference_id 2034266
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2034266
25
reference_url https://github.com/advisories/GHSA-qphc-hf5q-v8fc
reference_id GHSA-qphc-hf5q-v8fc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qphc-hf5q-v8fc
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.4.6%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.4.6%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.4.6%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-44528, GHSA-qphc-hf5q-v8fc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fdqs-v9b2-53gu
56
url VCID-fgtd-zx7r-rygb
vulnerability_id VCID-fgtd-zx7r-rygb
summary 
Open Redirect in ActionPack
# Overview

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.

Versions Affected: >= 6.0.0.
Not affected: < 6.0.0
Fixed Versions: 6.1.4.1, 6.0.4.1

# Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

```ruby
config.hosts <<  '.EXAMPLE.com'
```

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.

# Releases

The fixed releases are available at the normal locations.

# Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

```ruby
module ActionDispatch
  class HostAuthorization
    HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
    VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
    VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/

    private
      def authorized?(request)
        origin_host =
          request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
        forwarded_host =
          request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
        @permissions.allows?(origin_host) &&
          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
      end
  end
end
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json
1
reference_url https://access.redhat.com/security/cve/cve-2021-22942
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/cve-2021-22942
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22942
reference_id
reference_type
scores
0
value 0.00533
scoring_system epss
scoring_elements 0.67662
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
13
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
15
reference_url https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22942
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22942
17
reference_url https://rubygems.org/gems/actionpack
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/actionpack
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0005
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0005
19
reference_url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
20
reference_url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
21
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
22
reference_url http://www.openwall.com/lists/oss-security/2021/12/14/5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/12/14/5
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1995940
reference_id 1995940
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1995940
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
reference_id 992586
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
25
reference_url https://security.archlinux.org/AVG-2492
reference_id AVG-2492
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2492
26
reference_url https://security.archlinux.org/AVG-2493
reference_id AVG-2493
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2493
27
reference_url https://github.com/advisories/GHSA-2rqw-v265-jf8c
reference_id GHSA-2rqw-v265-jf8c
reference_type
scores
url https://github.com/advisories/GHSA-2rqw-v265-jf8c
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.4.1%2Bdfsg-3?distro=trixie
purl pkg:deb/debian/rails@2:6.1.4.1%2Bdfsg-3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.4.1%252Bdfsg-3%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22942, GHSA-2rqw-v265-jf8c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fgtd-zx7r-rygb
57
url VCID-fr3w-ejk8-47gw
vulnerability_id VCID-fr3w-ejk8-47gw
summary 
Cross site scripting in actionpack Rubygem
A cross-site scripting vulnerability flaw was found in the `auto_link` function in Rails before version 3.0.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-1497.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-1497.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-1497
reference_id
reference_type
scores
0
value 0.00328
scoring_system epss
scoring_elements 0.55931
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-1497
2
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
3
reference_url https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG
4
reference_url https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/61ee3449674c591747db95f9b3472c5c3bd9e84d
5
reference_url https://github.com/rails/rails/commit/ab764ecbfea31a3b14323283287e2fc80955ace6
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ab764ecbfea31a3b14323283287e2fc80955ace6
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-1497.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-1497.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-1497
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-1497
8
reference_url https://www.openwall.com/lists/oss-security/2011/04/06/13
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.openwall.com/lists/oss-security/2011/04/06/13
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2015262
reference_id 2015262
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2015262
10
reference_url https://github.com/advisories/GHSA-q58j-fmvf-9rq6
reference_id GHSA-q58j-fmvf-9rq6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q58j-fmvf-9rq6
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-1497, GHSA-q58j-fmvf-9rq6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fr3w-ejk8-47gw
58
url VCID-g13k-qvy7-q3fk
vulnerability_id VCID-g13k-qvy7-q3fk
summary 
Rails actionpack gem vulnerable to Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in the `mail_to` helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-0446
reference_id
reference_type
scores
0
value 0.0067
scoring_system epss
scoring_elements 0.71678
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-0446
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446
6
reference_url http://secunia.com/advisories/43274
reference_id
reference_type
scores
url http://secunia.com/advisories/43274
7
reference_url http://secunia.com/advisories/43666
reference_id
reference_type
scores
url http://secunia.com/advisories/43666
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/abe97736b8316f1b714cac56c115c0779aa73217
10
reference_url https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/e3dd2107c57a8efaaea5d61cf8da65f7444760b2
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0446.yml
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2011-0446.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-0446
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-0446
15
reference_url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274
16
reference_url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666
17
reference_url https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
18
reference_url https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200812054342/http://www.securitytracker.com/id?1025064
19
reference_url http://www.debian.org/security/2011/dsa-2247
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2247
20
reference_url http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/46291
21
reference_url http://www.securitytracker.com/id?1025064
reference_id
reference_type
scores
url http://www.securitytracker.com/id?1025064
22
reference_url http://www.vupen.com/english/advisories/2011/0587
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0587
23
reference_url http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0877
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
reference_id 614864
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
25
reference_url https://github.com/advisories/GHSA-75w6-p6mg-vh8j
reference_id GHSA-75w6-p6mg-vh8j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-75w6-p6mg-vh8j
26
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.11-0.1?distro=trixie
purl pkg:deb/debian/rails@2.3.11-0.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.11-0.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-0446, GHSA-75w6-p6mg-vh8j
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g13k-qvy7-q3fk
59
url VCID-g2a6-uem4-uuce
vulnerability_id VCID-g2a6-uem4-uuce
summary 
actionpack Cross-Site Request Forgery vulnerability
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/c22ea1668c0d181c?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-0447
reference_id
reference_type
scores
0
value 0.00991
scoring_system epss
scoring_elements 0.77177
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-0447
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447
6
reference_url http://secunia.com/advisories/43274
reference_id
reference_type
scores
url http://secunia.com/advisories/43274
7
reference_url http://secunia.com/advisories/43666
reference_id
reference_type
scores
url http://secunia.com/advisories/43666
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/66ce3843d32e9f2ac3b1da20067af53019bbb034
10
reference_url https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/7e86f9b4d2b7dfa974c10ae7e6d8ef90f3d77f06
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0447.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-0447
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-0447
13
reference_url https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20120527023027/http://www.securityfocus.com/bid/46291
14
reference_url https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20170223045008/http://www.securitytracker.com/id?1025060
15
reference_url http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
16
reference_url http://www.debian.org/security/2011/dsa-2247
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2247
17
reference_url http://www.securityfocus.com/bid/46291
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/46291
18
reference_url http://www.securitytracker.com/id?1025060
reference_id
reference_type
scores
url http://www.securitytracker.com/id?1025060
19
reference_url http://www.vupen.com/english/advisories/2011/0587
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0587
20
reference_url http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0877
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
reference_id 614864
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614864
22
reference_url https://github.com/advisories/GHSA-24fg-p96v-hxh8
reference_id GHSA-24fg-p96v-hxh8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-24fg-p96v-hxh8
23
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.11-0.1?distro=trixie
purl pkg:deb/debian/rails@2.3.11-0.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.11-0.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-0447, GHSA-24fg-p96v-hxh8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g2a6-uem4-uuce
60
url VCID-g8nb-cs9p-b7dc
vulnerability_id VCID-g8nb-cs9p-b7dc
summary 
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
references
0
reference_url http://openwall.com/lists/oss-security/2015/06/16/17
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2015/06/16/17
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3226.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3226.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-3226
reference_id
reference_type
scores
0
value 0.00212
scoring_system epss
scoring_elements 0.43698
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-3226
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ
13
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
14
reference_url https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-3226
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-3226
16
reference_url https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231
17
reference_url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
18
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1232310
reference_id 1232310
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1232310
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790486
reference_id 790486
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790486
21
reference_url https://github.com/advisories/GHSA-vxvp-4xwc-jpp6
reference_id GHSA-vxvp-4xwc-jpp6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxvp-4xwc-jpp6
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.4-2?distro=trixie
purl pkg:deb/debian/rails@2:4.2.4-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.4-2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2015-3226, GHSA-vxvp-4xwc-jpp6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g8nb-cs9p-b7dc
61
url VCID-hmy5-ekrx-1ucn
vulnerability_id VCID-hmy5-ekrx-1ucn
summary 
Path Traversal in Action View
# File Content Disclosure in Action View

Impact 
------ 
There is a possible file content disclosure vulnerability in Action View.  Specially crafted accept headers in combination with calls to `render file:`  can cause arbitrary files on the target server to be rendered, disclosing the  file contents. 

The impact is limited to calls to `render` which render file contents without  a specified accept format.  Impacted code in a controller looks something like this: 

``` ruby
class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file" 
  end 
end 
``` 

Rendering templates as opposed to files is not impacted by this vulnerability. 

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. 

Workarounds 
----------- 
This vulnerability can be mitigated by specifying a format for file rendering, like this: 

``` ruby
class UserController < ApplicationController 
  def index 
    render file: "#{Rails.root}/some/file", formats: [:html] 
  end 
end 
``` 

In summary, impacted calls to `render` look like this: 

``` 
render file: "#{Rails.root}/some/file" 
``` 

The vulnerability can be mitigated by changing to this: 

``` 
render file: "#{Rails.root}/some/file", formats: [:html] 
``` 

Other calls to `render` are not impacted. 

Alternatively, the following monkey patch can be applied in an initializer: 

``` ruby
$ cat config/initializers/formats_filter.rb 
# frozen_string_literal: true 

ActionDispatch::Request.prepend(Module.new do 
  def formats 
    super().select do |format| 
      format.symbol || format.ref == "*/*" 
    end 
  end 
end) 
``` 

Credits 
------- 
Thanks to John Hawthorn <john@hawthorn.email> of GitHub
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
1
reference_url http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html
2
reference_url https://access.redhat.com/errata/RHSA-2019:0796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:0796
3
reference_url https://access.redhat.com/errata/RHSA-2019:1147
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1147
4
reference_url https://access.redhat.com/errata/RHSA-2019:1149
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1149
5
reference_url https://access.redhat.com/errata/RHSA-2019:1289
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://access.redhat.com/errata/RHSA-2019:1289
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5418.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5418
reference_id
reference_type
scores
0
value 0.94318
scoring_system epss
scoring_elements 0.99952
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5418
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418
9
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
10
reference_url https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/zRNVOUhKHrg
13
reference_url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5418
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5418
17
reference_url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
18
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
19
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
20
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418
21
reference_url https://www.exploit-db.com/exploits/46585
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/46585
22
reference_url https://www.exploit-db.com/exploits/46585/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://www.exploit-db.com/exploits/46585/
23
reference_url http://www.openwall.com/lists/oss-security/2019/03/22/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url http://www.openwall.com/lists/oss-security/2019/03/22/1
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689159
reference_id 1689159
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689159
25
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
reference_id 924520
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
26
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py
reference_id CVE-2019-5418
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/46585.py
27
reference_url https://github.com/advisories/GHSA-86g5-2wh3-gc9j
reference_id GHSA-86g5-2wh3-gc9j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-86g5-2wh3-gc9j
28
reference_url https://usn.ubuntu.com/7646-1/
reference_id USN-7646-1
reference_type
scores
url https://usn.ubuntu.com/7646-1/
29
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-07-17T03:55:43Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2019-5418, GHSA-86g5-2wh3-gc9j
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hmy5-ekrx-1ucn
62
url VCID-jpj6-wzp3-m3e4
vulnerability_id VCID-jpj6-wzp3-m3e4
summary 
actionpack Improper Input Validation vulnerability
`actionpack/lib/action_view/template/text.rb` in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the `:text` option to the `render` method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
1
reference_url http://openwall.com/lists/oss-security/2014/02/18/10
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/02/18/10
2
reference_url http://rhn.redhat.com/errata/RHSA-2014-0215.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0215.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2014-0306.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0306.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0082.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0082.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-0082
reference_id
reference_type
scores
0
value 0.06456
scoring_system epss
scoring_elements 0.91211
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-0082
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0082.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0082.yml
11
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/LMxO_3_eCuc
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/LMxO_3_eCuc
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-0082
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-0082
13
reference_url https://web.archive.org/web/20201207044540/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201207044540/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ
14
reference_url https://web.archive.org/web/20220315115444/https://puppet.com/security/cve/cve-2014-0082
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20220315115444/https://puppet.com/security/cve/cve-2014-0082
15
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
16
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
reference_id
reference_type
scores
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1065538
reference_id 1065538
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1065538
18
reference_url https://github.com/advisories/GHSA-7cgp-c3g7-qvrw
reference_id GHSA-7cgp-c3g7-qvrw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7cgp-c3g7-qvrw
19
reference_url https://access.redhat.com/errata/RHSA-2014:0215
reference_id RHSA-2014:0215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0215
20
reference_url https://access.redhat.com/errata/RHSA-2014:0306
reference_id RHSA-2014:0306
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0306
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-0082, GHSA-7cgp-c3g7-qvrw, OSV-103440
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jpj6-wzp3-m3e4
63
url VCID-jqcm-94qc-ykam
vulnerability_id VCID-jqcm-94qc-ykam
summary 
rails is vulnerable to CRLF injection
CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
references
0
reference_url http://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails
1
reference_url http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-5189.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-5189.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2008-5189
reference_id
reference_type
scores
0
value 0.00169
scoring_system epss
scoring_elements 0.37871
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2008-5189
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2008-5189
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2008-5189
8
reference_url http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
9
reference_url http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=472510
reference_id 472510
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=472510
11
reference_url https://github.com/advisories/GHSA-jmgf-p46x-982h
reference_id GHSA-jmgf-p46x-982h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jmgf-p46x-982h
fixed_packages
0
url pkg:deb/debian/rails@2.1.0-6?distro=trixie
purl pkg:deb/debian/rails@2.1.0-6?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.1.0-6%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2008-5189, GHSA-jmgf-p46x-982h
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jqcm-94qc-ykam
64
url VCID-k6aw-heeb-wke2
vulnerability_id VCID-k6aw-heeb-wke2
summary 
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
    7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
reference_id
reference_type
scores
0
value 0.01339
scoring_system epss
scoring_elements 0.80309
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22795
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
16
reference_url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
17
reference_url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
18
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
19
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
21
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22795
22
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id 2164799
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164799
25
reference_url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id GHSA-8xww-x3g3-6jcv
reference_type
scores
url https://github.com/advisories/GHSA-8xww-x3g3-6jcv
26
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k6aw-heeb-wke2
65
url VCID-kshz-ckjc-77ab
vulnerability_id VCID-kshz-ckjc-77ab
summary tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-27777.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
reference_id
reference_type
scores
0
value 0.01409
scoring_system epss
scoring_elements 0.80797
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-27777
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
17
reference_url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
18
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-27777
20
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
21
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
reference_id 1016982
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016982
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
reference_id 2080296
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080296
24
reference_url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
reference_id GHSA-ch3h-j2vf-95pv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ch3h-j2vf-95pv
25
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.6.1%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kshz-ckjc-77ab
66
url VCID-m156-zkzd-57g9
vulnerability_id VCID-m156-zkzd-57g9
summary 
actionpack is vulnerable to denial of service because of a wildcard controller route
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
5
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7581.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7581.json
6
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-7581
reference_id
reference_type
scores
0
value 0.08542
scoring_system epss
scoring_elements 0.92514
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-7581
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
15
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:N/A:P
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7581.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7581.yml
17
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ
18
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-7581
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-7581
20
reference_url https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81677
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81677
21
reference_url https://web.archive.org/web/20200516093752/http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200516093752/http://www.securitytracker.com/id/1034816
22
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
23
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/16
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/01/25/16
24
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301981
reference_id 1301981
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301981
25
reference_url https://github.com/advisories/GHSA-9h6g-gp95-x3q5
reference_id GHSA-9h6g-gp95-x3q5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9h6g-gp95-x3q5
26
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
27
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2015-7581, GHSA-9h6g-gp95-x3q5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m156-zkzd-57g9
67
url VCID-m9ud-s6w6-x7ac
vulnerability_id VCID-m9ud-s6w6-x7ac
summary actionpack: Possible XSS via User Supplied Values to redirect_to
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28362.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
reference_id
reference_type
scores
0
value 0.00225
scoring_system epss
scoring_elements 0.45261
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28362
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28362
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
7
reference_url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
8
reference_url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28362
11
reference_url https://security.netapp.com/advisory/ntap-20250502-0009
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250502-0009
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
reference_id 1051058
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051058
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
reference_id 2217785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2217785
14
reference_url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
reference_id GHSA-4g8v-vg43-wpgf
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:26:42Z/
url https://github.com/advisories/GHSA-4g8v-vg43-wpgf
15
reference_url https://access.redhat.com/errata/RHSA-2023:7851
reference_id RHSA-2023:7851
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7851
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-28362, GHSA-4g8v-vg43-wpgf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m9ud-s6w6-x7ac
68
url VCID-mgjg-juur-rfe5
vulnerability_id VCID-mgjg-juur-rfe5
summary rails: Possible Denial of Service vulnerability in Action Dispatch
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22902
reference_id
reference_type
scores
0
value 0.00677
scoring_system epss
scoring_elements 0.71843
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22902
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
3
reference_url https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
6
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml
8
reference_url https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c
9
reference_url https://hackerone.com/reports/1138654
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1138654
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22902
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22902
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961382
reference_id 1961382
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961382
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
13
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
14
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
15
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22902, GHSA-g8ww-46x2-2p65
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mgjg-juur-rfe5
69
url VCID-mybr-9d4n-rfg4
vulnerability_id VCID-mybr-9d4n-rfg4
summary The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.
references
0
reference_url http://dev.rubyonrails.org/changeset/8177
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://dev.rubyonrails.org/changeset/8177
1
reference_url http://dev.rubyonrails.org/ticket/10048
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://dev.rubyonrails.org/ticket/10048
2
reference_url http://docs.info.apple.com/article.html?artnum=307179
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://docs.info.apple.com/article.html?artnum=307179
3
reference_url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2007-6077
reference_id
reference_type
scores
0
value 0.03262
scoring_system epss
scoring_elements 0.87366
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2007-6077
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077
6
reference_url http://secunia.com/advisories/27781
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/27781
7
reference_url http://secunia.com/advisories/28136
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/28136
8
reference_url https://github.com/advisories/GHSA-p4c6-77gc-694x
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-p4c6-77gc-694x
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2007-6077.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2007-6077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2007-6077
11
reference_url https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
12
reference_url http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
13
reference_url http://www.securityfocus.com/bid/26598
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/26598
14
reference_url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.us-cert.gov/cas/techalerts/TA07-352A.html
15
reference_url http://www.vupen.com/english/advisories/2007/4009
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/4009
16
reference_url http://www.vupen.com/english/advisories/2007/4238
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2007/4238
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452748
reference_id 452748
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452748
18
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@1.2.6-1?distro=trixie
purl pkg:deb/debian/rails@1.2.6-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.2.6-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2007-6077, GHSA-p4c6-77gc-694x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mybr-9d4n-rfg4
70
url VCID-n3jp-f9hq-kkc8
vulnerability_id VCID-n3jp-f9hq-kkc8
summary 
Authlogic Information Exposure vulnerability
The Authlogic gem for Ruby on Rails prior to version 3.3.0 makes potentially unsafe `find_by_id` method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in `secret_token.rb` in an open-source product.
references
0
reference_url http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
1
reference_url http://openwall.com/lists/oss-security/2013/01/03/12
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2013/01/03/12
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-6497
reference_id
reference_type
scores
0
value 0.00397
scoring_system epss
scoring_elements 0.60833
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-6497
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497
4
reference_url https://github.com/binarylogic/authlogic
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/binarylogic/authlogic
5
reference_url https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873
6
reference_url https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873#diff-724a09c582d42a66c65c0bdaadcb21ee
reference_id
reference_type
scores
url https://github.com/binarylogic/authlogic/commit/1d57a6c4abe43a3c0b4ef578486ea00e1f7a9873#diff-724a09c582d42a66c65c0bdaadcb21ee
7
reference_url https://github.com/binarylogic/authlogic/pull/341
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/binarylogic/authlogic/pull/341
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/authlogic/OSVDB-89064.yml
reference_id
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/authlogic/OSVDB-89064.yml
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-6497
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-6497
10
reference_url https://web.archive.org/web/20130104161608/http://www.securityfocus.com/bid/57084
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130104161608/http://www.securityfocus.com/bid/57084
11
reference_url https://web.archive.org/web/20130116043311/http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130116043311/http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-6497, GHSA-rx7j-mw4c-76g9, OSV-89064
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n3jp-f9hq-kkc8
71
url VCID-n7ga-1sx4-yfcv
vulnerability_id VCID-n7ga-1sx4-yfcv
summary rubygem-actionpack: Possible Open Redirect Vulnerability in Action Pack
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22903
reference_id
reference_type
scores
0
value 0.00096
scoring_system epss
scoring_elements 0.2653
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22903
2
reference_url https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
6
reference_url https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
7
reference_url https://hackerone.com/reports/1148025
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1148025
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22903
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22903
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1957438
reference_id 1957438
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1957438
10
reference_url https://security.archlinux.org/AVG-1919
reference_id AVG-1919
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1919
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22903, GHSA-5hq2-xf89-9jxq
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n7ga-1sx4-yfcv
72
url VCID-n7kh-9mpq-13c7
vulnerability_id VCID-n7kh-9mpq-13c7
summary 
Cross site scripting that affects rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper.
references
0
reference_url http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
1
reference_url http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
2
reference_url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
3
reference_url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3009.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-3009
reference_id
reference_type
scores
0
value 0.01632
scoring_system epss
scoring_elements 0.8221
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-3009
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
7
reference_url http://secunia.com/advisories/36600
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/36600
8
reference_url http://secunia.com/advisories/36717
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://secunia.com/advisories/36717
9
reference_url http://securitytracker.com/id?1022824
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://securitytracker.com/id?1022824
10
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
11
reference_url https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-8qrh-h9m2-5fvf
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2009-3009.yml
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-3009
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-3009
14
reference_url http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT4077
15
reference_url http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
16
reference_url http://www.debian.org/security/2009/dsa-1887
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2009/dsa-1887
17
reference_url http://www.osvdb.org/57666
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.osvdb.org/57666
18
reference_url http://www.securityfocus.com/bid/36278
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/36278
19
reference_url http://www.vupen.com/english/advisories/2009/2544
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.vupen.com/english/advisories/2009/2544
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=520843
reference_id 520843
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=520843
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
reference_id 545063
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063
22
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.2.3-1?distro=trixie
purl pkg:deb/debian/rails@2.2.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.2.3-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2009-3009, GHSA-8qrh-h9m2-5fvf, OSV-57666
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n7kh-9mpq-13c7
73
url VCID-nax4-x97j-9fgr
vulnerability_id VCID-nax4-x97j-9fgr
summary 
actionpack Improper Input Validation vulnerability
`actionpack/lib/action_view/lookup_context.rb` in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2013-1794.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-1794.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2014-0008.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0008.html
6
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6414.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-6414
reference_id
reference_type
scores
0
value 0.70843
scoring_system epss
scoring_elements 0.98724
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-6414
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
14
reference_url http://seclists.org/oss-sec/2013/q4/400
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/400
15
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6414.yml
17
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
18
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-6414
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-6414
20
reference_url https://puppet.com/security/cve/cve-2013-6414
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-6414
21
reference_url https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160421165124/http://secunia.com/advisories/57836
22
reference_url https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160808161629/https://puppet.com/security/cve/cve-2013-6414
23
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
24
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
25
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
26
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release
27
reference_url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
reference_id
reference_type
scores
url http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
28
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036483
reference_id 1036483
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036483
29
reference_url https://github.com/advisories/GHSA-mpxf-gcw2-pw5q
reference_id GHSA-mpxf-gcw2-pw5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mpxf-gcw2-pw5q
30
reference_url https://access.redhat.com/errata/RHSA-2013:1794
reference_id RHSA-2013:1794
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:1794
31
reference_url https://access.redhat.com/errata/RHSA-2014:0008
reference_id RHSA-2014:0008
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0008
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-6414, GHSA-mpxf-gcw2-pw5q, OSV-100525
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nax4-x97j-9fgr
74
url VCID-ndth-atqq-53gq
vulnerability_id VCID-ndth-atqq-53gq
summary 
Rails has possible XSS Vulnerability in Action Controller
# Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(`translate`, `t`, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected:  >= 7.0.0.
Not affected:       < 7.0.0
Fixed Versions:     7.1.3.1, 7.0.8.1

Impact
------
Applications using translation methods like `translate`, or `t` on a
controller, with a key ending in "_html", a `:default` key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

```ruby
class ArticlesController < ApplicationController
  def show  
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end
```

To reiterate the pre-conditions, applications must:

* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from
  a view)
* Use a key that ends in `_html`
* Use a default value where the default value is untrusted and unescaped input
* Send the text to the victim (whether that's part of a template, or a
  `render` call)

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

*  7-0-translate-xss.patch - Patch for 7.0 series
*  7-1-translate-xss.patch - Patch for 7.1 series

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26143
reference_id
reference_type
scores
0
value 0.02067
scoring_system epss
scoring_elements 0.8421
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26143
2
reference_url https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
6
reference_url https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
7
reference_url https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26143
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26143
10
reference_url https://security.netapp.com/advisory/ntap-20240510-0004
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240510-0004
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2266388
reference_id 2266388
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2266388
12
reference_url https://github.com/advisories/GHSA-9822-6m93-xqf4
reference_id GHSA-9822-6m93-xqf4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9822-6m93-xqf4
13
reference_url https://security.netapp.com/advisory/ntap-20240510-0004/
reference_id ntap-20240510-0004
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/
url https://security.netapp.com/advisory/ntap-20240510-0004/
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-26143, GHSA-9822-6m93-xqf4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ndth-atqq-53gq
75
url VCID-ngyb-ydd8-ska3
vulnerability_id VCID-ngyb-ydd8-ska3
summary 
XSS in Action View
There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks.

### Impact

When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:

```erb
<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>

<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>
<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>
```

### Patches

Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations.

The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest.

To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series
* [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series

Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases.

### Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`):

```erb
<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15169.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15169.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15169
reference_id
reference_type
scores
0
value 0.01184
scoring_system epss
scoring_elements 0.79087
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15169
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
11
reference_url https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-cfjv-5498-mph5
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
14
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15169
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15169
18
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1877566
reference_id 1877566
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1877566
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040
reference_id 970040
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040
21
reference_url https://github.com/advisories/GHSA-cfjv-5498-mph5
reference_id GHSA-cfjv-5498-mph5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cfjv-5498-mph5
22
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-15169, GHSA-cfjv-5498-mph5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ngyb-ydd8-ska3
76
url VCID-nmz3-ux68-dkfd
vulnerability_id VCID-nmz3-ux68-dkfd
summary Rails: Action Pack: Action Pack: Cross-Site Scripting (XSS) via improper exception message escaping
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33167
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.06147
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33167
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/
url https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
5
reference_url https://github.com/rails/rails/releases/tag/v8.1.2.1
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/
url https://github.com/rails/rails/releases/tag/v8.1.2.1
6
reference_url https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/
url https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33167
reference_id
reference_type
scores
0
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33167
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2450552
reference_id 2450552
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2450552
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2026-33167, GHSA-pgm4-439c-5jp6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nmz3-ux68-dkfd
77
url VCID-nnka-c23v-qub7
vulnerability_id VCID-nnka-c23v-qub7
summary 
actionpack vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the `number_to_currency` helper in `actionpack/lib/action_view/helpers/number_helper.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
5
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
6
reference_url http://rhn.redhat.com/errata/RHSA-2013-1794.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-1794.html
7
reference_url http://rhn.redhat.com/errata/RHSA-2014-0008.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0008.html
8
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
9
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6415.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6415.json
10
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-6415
reference_id
reference_type
scores
0
value 0.01506
scoring_system epss
scoring_elements 0.8147
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-6415
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417
16
reference_url http://seclists.org/oss-sec/2013/q4/402
reference_id
reference_type
scores
url http://seclists.org/oss-sec/2013/q4/402
17
reference_url https://github.com/advisories/GHSA-6h5q-96hp-9jgm
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-6h5q-96hp-9jgm
18
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6415.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6415.yml
19
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
20
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
21
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-6415
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-6415
22
reference_url https://puppet.com/security/cve/cve-2013-6415
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-6415
23
reference_url https://web.archive.org/web/20131206180005/http://www.securityfocus.com/bid/64077
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131206180005/http://www.securityfocus.com/bid/64077
24
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released
25
reference_url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
26
reference_url http://www.debian.org/security/2014/dsa-2888
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2888
27
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1036910
reference_id 1036910
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1036910
28
reference_url https://access.redhat.com/errata/RHSA-2013:1794
reference_id RHSA-2013:1794
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:1794
29
reference_url https://access.redhat.com/errata/RHSA-2014:0008
reference_id RHSA-2014:0008
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0008
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-6415, GHSA-6h5q-96hp-9jgm, OSV-100524
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nnka-c23v-qub7
78
url VCID-nyer-au8u-f7h6
vulnerability_id VCID-nyer-au8u-f7h6
summary 
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact
------

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.


Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2

Credits
-------

Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
reference_id
reference_type
scores
0
value 0.00476
scoring_system epss
scoring_elements 0.65157
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47888
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
reference_id 1085376
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
reference_id 2319035
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2319035
9
reference_url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
reference_id 4f4312b21a6448336de7c7ab0c4d94b378def468
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
10
reference_url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
reference_id 727b0946c3cab04b825c039435eac963d4e91822
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
11
reference_url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_id ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
12
reference_url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_id de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/
url https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
13
reference_url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
reference_id GHSA-wwhv-wxv9-rpgw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
14
reference_url https://usn.ubuntu.com/7290-1/
reference_id USN-7290-1
reference_type
scores
url https://usn.ubuntu.com/7290-1/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-47888, GHSA-wwhv-wxv9-rpgw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nyer-au8u-f7h6
79
url VCID-nzb9-vn9k-jbgs
vulnerability_id VCID-nzb9-vn9k-jbgs
summary 
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter
There is a potential denial of service vulnerability present in ActiveRecord's PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None.

## Fixed Versions

- 2.3.18.47 (Rails LTS, which is a paid service and not part of the rubygem)
- 3.2.22.34 (Rails LTS, which is a paid service and not part of the rubygem)
- 4.2.11.27 (Rails LTS, which is a paid service and not part of the rubygem)
- 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem)
- 6.1.7.1
- 7.0.4.1

## Impact

In ActiveRecord < 7.0.4.1 and < 6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

## Releases

The fixed releases are available at the normal locations.

## Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats. 

## Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.

 6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
 7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44566.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44566.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44566
reference_id
reference_type
scores
0
value 0.01544
scoring_system epss
scoring_elements 0.81686
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44566
2
reference_url https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-25T13:43:31Z/
url https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44566
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44566
4
reference_url https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-25T13:43:31Z/
url https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
8
reference_url https://github.com/rails/rails/commit/82bcdc011e2ff674e7dd8fd8cee3a831c908d29b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/82bcdc011e2ff674e7dd8fd8cee3a831c908d29b
9
reference_url https://github.com/rails/rails/releases/tag/v6.1.7.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.7.1
10
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
12
reference_url https://mailchi.mp/railslts/rails-lts-multiple-dos-vulnerabilities-in-rails-rack-and-globalid
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://mailchi.mp/railslts/rails-lts-multiple-dos-vulnerabilities-in-rails-rack-and-globalid
13
reference_url https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44566
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44566
15
reference_url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164789
reference_id 2164789
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164789
18
reference_url https://github.com/advisories/GHSA-579w-22j4-4749
reference_id GHSA-579w-22j4-4749
reference_type
scores
url https://github.com/advisories/GHSA-579w-22j4-4749
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-44566, GHSA-579w-22j4-4749, GMS-2023-59
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nzb9-vn9k-jbgs
80
url VCID-p1yd-keq8-rkh3
vulnerability_id VCID-p1yd-keq8-rkh3
summary 
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the `strip_tags` helper in `actionpack/lib/action_controller/vendor/html-scanner/html/node.rb` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/fd41ab62966e0fd1?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-2931
reference_id
reference_type
scores
0
value 0.00813
scoring_system epss
scoring_elements 0.7456
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-2931
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=731436
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=731436
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931
7
reference_url http://secunia.com/advisories/45921
reference_id
reference_type
scores
url http://secunia.com/advisories/45921
8
reference_url https://github.com/advisories/GHSA-v5jg-558j-q67c
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-v5jg-558j-q67c
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-2931.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-2931
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-2931
13
reference_url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
14
reference_url http://www.debian.org/security/2011/dsa-2301
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2011/dsa-2301
15
reference_url http://www.openwall.com/lists/oss-security/2011/08/17/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/17/1
16
reference_url http://www.openwall.com/lists/oss-security/2011/08/19/11
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/19/11
17
reference_url http://www.openwall.com/lists/oss-security/2011/08/20/1
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/20/1
18
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/13
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/13
19
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/14
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/14
20
reference_url http://www.openwall.com/lists/oss-security/2011/08/22/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2011/08/22/5
21
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14?distro=trixie
purl pkg:deb/debian/rails@2.3.14?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-2931, GHSA-v5jg-558j-q67c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p1yd-keq8-rkh3
81
url VCID-q1rj-sqa4-q3b4
vulnerability_id VCID-q1rj-sqa4-q3b4
summary 
Rails Denial of Service vulnerability
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2006-4112
reference_id
reference_type
scores
0
value 0.07371
scoring_system epss
scoring_elements 0.91833
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2006-4112
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112
2
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/28364
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4112.yml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2006-4112
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2006-4112
6
reference_url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
7
reference_url https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200804225700/http://www.securityfocus.com/archive/1/442934/100/0/threaded
8
reference_url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
9
reference_url http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
10
reference_url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
11
reference_url http://www.kb.cert.org/vuls/id/699540
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.kb.cert.org/vuls/id/699540
12
reference_url http://www.novell.com/linux/security/advisories/2006_21_sr.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2006_21_sr.html
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
reference_id 382255
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
14
reference_url https://github.com/advisories/GHSA-9wrq-xvmp-xjc8
reference_id GHSA-9wrq-xvmp-xjc8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9wrq-xvmp-xjc8
15
reference_url https://security.gentoo.org/glsa/200608-20
reference_id GLSA-200608-20
reference_type
scores
url https://security.gentoo.org/glsa/200608-20
fixed_packages
0
url pkg:deb/debian/rails@1.1.6-1?distro=trixie
purl pkg:deb/debian/rails@1.1.6-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.1.6-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2006-4112, GHSA-9wrq-xvmp-xjc8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q1rj-sqa4-q3b4
82
url VCID-q4zs-hq6a-ayf6
vulnerability_id VCID-q4zs-hq6a-ayf6
summary 
# Denial of Service Vulnerability in Action View

Impact 
------ 
Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests.  This impacts all Rails applications that render views. 

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. 

Workarounds 
----------- 
This vulnerability can be mitigated by wrapping `render` calls with `respond_to` blocks.  For example, the following example is vulnerable: 

``` ruby
class UserController < ApplicationController 
  def index 
    render "index" 
  end 
end 
``` 

But the following code is not vulnerable: 

```ruby 
class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end 
``` 

Implicit rendering is impacted, so this code is vulnerable: 

```ruby 
class UserController < ApplicationController 
  def index 
  end 
end 
``` 

But can be changed this this: 

```ruby 
class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end 
``` 

Alternatively to specifying the format, the following monkey patch can be applied in an initializer: 

``` 
$ cat config/initializers/formats_filter.rb 
# frozen_string_literal: true 

ActionDispatch::Request.prepend(Module.new do 
  def formats 
    super().select do |format| 
      format.symbol || format.ref == "*/*" 
    end 
  end 
end) 
``` 

Please note that only the 5.2.x, 5.1.x, 5.0.x, and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. 

Also note that the patches for this vulnerability are the same as CVE-2019-5418. 

Credits 
------- 
Thanks to John Hawthorn <john@hawthorn.email> of GitHub
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
3
reference_url https://access.redhat.com/errata/RHSA-2019:0796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:0796
4
reference_url https://access.redhat.com/errata/RHSA-2019:1147
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1147
5
reference_url https://access.redhat.com/errata/RHSA-2019:1149
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1149
6
reference_url https://access.redhat.com/errata/RHSA-2019:1289
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:1289
7
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5419.json
8
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5419
reference_id
reference_type
scores
0
value 0.12118
scoring_system epss
scoring_elements 0.93919
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5419
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5419
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715
13
reference_url https://github.com/rails/rails/pull/35708
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/pull/35708
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml
15
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
16
reference_url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5419
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5419
20
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released
21
reference_url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
22
reference_url http://www.openwall.com/lists/oss-security/2019/03/22/1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/03/22/1
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1689160
reference_id 1689160
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1689160
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
reference_id 924520
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924520
25
reference_url https://github.com/advisories/GHSA-m63j-wh5w-c252
reference_id GHSA-m63j-wh5w-c252
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m63j-wh5w-c252
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2.1%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2019-5419, GHSA-m63j-wh5w-c252
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q4zs-hq6a-ayf6
83
url VCID-q8un-ngwx-5kaw
vulnerability_id VCID-q8un-ngwx-5kaw
summary 
Active Record Improper Access Control
`activerecord/lib/active_record/nested_attributes.rb` in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7577.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7577.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-7577
reference_id
reference_type
scores
0
value 0.01209
scoring_system epss
scoring_elements 0.79277
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-7577
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:P/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2015-7577.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2015-7577.yml
18
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-7577
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-7577
20
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
21
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/10
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/01/25/10
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301957
reference_id 1301957
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301957
23
reference_url https://github.com/advisories/GHSA-xrr6-3pc4-m447
reference_id GHSA-xrr6-3pc4-m447
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xrr6-3pc4-m447
24
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
25
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
26
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2015-7577, GHSA-xrr6-3pc4-m447
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q8un-ngwx-5kaw
84
url VCID-qswy-ngsk-yfhy
vulnerability_id VCID-qswy-ngsk-yfhy
summary 
activesupport Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `activesupport/lib/active_support/core_ext/string/output_safety.rb` in Ruby on Rails before 2.3.16, 3.0.x before , 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3464.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3464.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-3464
reference_id
reference_type
scores
0
value 0.00245
scoring_system epss
scoring_elements 0.47909
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-3464
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464
4
reference_url https://github.com/advisories/GHSA-h835-75hw-pj89
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-h835-75hw-pj89
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/28f2c6f4037081da0a82104a3f473165ed4ed2ce
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/28f2c6f4037081da0a82104a3f473165ed4ed2ce
7
reference_url https://github.com/rails/rails/commit/780a718723cf87b49cfe204d355948c4e0932d23
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/780a718723cf87b49cfe204d355948c4e0932d23
8
reference_url https://github.com/rails/rails/commit/d0c9759d3aeb6327d68dd6c0de0fe2fed4e3c870
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d0c9759d3aeb6327d68dd6c0de0fe2fed4e3c870
9
reference_url https://github.com/rails/rails/commit/d549df7133f2b0bad8112890d478c33e990e12bc
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d549df7133f2b0bad8112890d478c33e990e12bc
10
reference_url https://github.com/rails/rails/issues/7215
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/issues/7215
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2012-3464.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2012-3464.yml
12
reference_url https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-3464
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-3464
14
reference_url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=847199
reference_id 847199
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=847199
16
reference_url https://access.redhat.com/errata/RHSA-2012:1542
reference_id RHSA-2012:1542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2012:1542
17
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-3464, GHSA-h835-75hw-pj89, OSV-84516
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qswy-ngsk-yfhy
85
url VCID-qth9-abgp-wyaq
vulnerability_id VCID-qth9-abgp-wyaq
summary 
Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper in Action Pack.

Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
reference_id
reference_type
scores
0
value 0.0019
scoring_system epss
scoring_elements 0.40653
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-54133
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
5
reference_url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
6
reference_url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
7
reference_url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/
url https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-54133
11
reference_url https://security.netapp.com/advisory/ntap-20250306-0010
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0010
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
reference_id 1089755
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
reference_id 2331619
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2331619
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-54133, GHSA-vfm5-rmrh-j26v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qth9-abgp-wyaq
86
url VCID-qv5s-vase-2qas
vulnerability_id VCID-qv5s-vase-2qas
summary 
Array data injection vulnerability in activerecord
SQL injection vulnerability in `activerecord/lib/active_record/connection_adapters/postgresql/cast.rb` in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving `\` (backslash) characters that are not properly handled in operations on array columns.
references
0
reference_url http://openwall.com/lists/oss-security/2014/02/18/9
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/02/18/9
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0080.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0080.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-0080
reference_id
reference_type
scores
0
value 0.00248
scoring_system epss
scoring_elements 0.48216
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-0080
3
reference_url https://github.com/advisories/GHSA-hqf9-rc9j-5fmj
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-hqf9-rc9j-5fmj
4
reference_url https://github.com/rails/rails/tree/main/activerecord
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/tree/main/activerecord
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-0080.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-0080.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/Wu96YkTUR6s
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/Wu96YkTUR6s
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-0080
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-0080
8
reference_url https://web.archive.org/web/20210301004521/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210301004521/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1065517
reference_id 1065517
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1065517
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-0080, GHSA-hqf9-rc9j-5fmj, OSV-103438
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qv5s-vase-2qas
87
url VCID-qvc6-ev84-fkbd
vulnerability_id VCID-qvc6-ev84-fkbd
summary 
activesupport in Rails vulnerable to incorrect data conversion
`lib/active_support/json/backends/yaml.rb` in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
references
0
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
1
reference_url http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2013-0201.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0201.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2013-0202.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0202.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2013-0203.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0203.html
5
reference_url https://access.redhat.com/errata/RHSA-2013:0201
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2013:0201
6
reference_url https://access.redhat.com/errata/RHSA-2013:0202
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2013:0202
7
reference_url https://access.redhat.com/errata/RHSA-2013:0203
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2013:0203
8
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0333.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0333.json
9
reference_url https://access.redhat.com/security/cve/CVE-2013-0333
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/security/cve/CVE-2013-0333
10
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-0333
reference_id
reference_type
scores
0
value 0.91761
scoring_system epss
scoring_elements 0.99699
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-0333
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=903440
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=903440
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333
13
reference_url https://github.com/advisories/GHSA-xgr2-v94m-rc9g
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-xgr2-v94m-rc9g
14
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-0333.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-0333.yml
15
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
16
reference_url https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-0333
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-0333
18
reference_url https://puppet.com/security/cve/cve-2013-0333
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2013-0333
19
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
20
reference_url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
21
reference_url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
22
reference_url http://www.debian.org/security/2013/dsa-2613
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2013/dsa-2613
23
reference_url http://www.kb.cert.org/vuls/id/628463
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.kb.cert.org/vuls/id/628463
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699226
reference_id 699226
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699226
25
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24434.rb
reference_id CVE-2013-0333;OSVDB-89594
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/24434.rb
26
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-0333, GHSA-xgr2-v94m-rc9g, OSV-89594
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qvc6-ev84-fkbd
88
url VCID-r6mr-ay8d-nqdd
vulnerability_id VCID-r6mr-ay8d-nqdd
summary 
actionpack is vulnerable to denial of service via a crafted HTTP Accept header
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
3
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
4
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
5
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
6
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0751.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0751.json
7
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-0751
reference_id
reference_type
scores
0
value 0.08895
scoring_system epss
scoring_elements 0.92689
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-0751
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
16
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:N/A:P
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
17
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
18
reference_url https://github.com/rails/rails/commit/127967b735813cd4f263df7a50426d74e7e9cc17
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/127967b735813cd4f263df7a50426d74e7e9cc17
19
reference_url https://github.com/rails/rails/commit/221937c8ba1d291430ceddebbd4bdef7d3cb47d6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/221937c8ba1d291430ceddebbd4bdef7d3cb47d6
20
reference_url https://github.com/rails/rails/commit/37047b779a177b911c7161052cfc34a30e1db0af
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/37047b779a177b911c7161052cfc34a30e1db0af
21
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0751.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0751.yml
22
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ
23
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-0751
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-0751
25
reference_url https://web.archive.org/web/20160128201702/http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160128201702/http://www.securitytracker.com/id/1034816
26
reference_url https://web.archive.org/web/20200227181647/http://www.securityfocus.com/bid/81800
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200227181647/http://www.securityfocus.com/bid/81800
27
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
28
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/01/25/9
29
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301946
reference_id 1301946
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301946
30
reference_url https://github.com/advisories/GHSA-ffpv-c4hm-3x6v
reference_id GHSA-ffpv-c4hm-3x6v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ffpv-c4hm-3x6v
31
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
32
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
33
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2016-0751, GHSA-ffpv-c4hm-3x6v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r6mr-ay8d-nqdd
89
url VCID-re7g-rxbm-dbd9
vulnerability_id VCID-re7g-rxbm-dbd9
summary rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
reference_id
reference_type
scores
0
value 0.00495
scoring_system epss
scoring_elements 0.66053
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-22577
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
13
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
16
reference_url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
17
reference_url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
18
reference_url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
19
reference_url https://github.com/rails/rails/pull/44635
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/pull/44635
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
21
reference_url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
22
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
23
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-22577
24
reference_url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
25
reference_url https://security.netapp.com/advisory/ntap-20221118-0002
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221118-0002
26
reference_url https://security.netapp.com/advisory/ntap-20221118-0002/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221118-0002/
27
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
28
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
reference_id 1011941
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
29
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
reference_id 2080302
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2080302
30
reference_url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
reference_id GHSA-mm33-5vfq-3mm3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mm33-5vfq-3mm3
31
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.6.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.6.1%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-22577, GHSA-mm33-5vfq-3mm3, GMS-2022-1137
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-re7g-rxbm-dbd9
90
url VCID-rgw4-mrr9-euda
vulnerability_id VCID-rgw4-mrr9-euda
summary 
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/sanitize_helper.rb` in the `strip_tags` helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
references
0
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3465.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-3465.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-3465
reference_id
reference_type
scores
0
value 0.00333
scoring_system epss
scoring_elements 0.56331
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-3465
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/cf48c9c7dcbef8543171f7f7de8d3d9a16b58e77
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/cf48c9c7dcbef8543171f7f7de8d3d9a16b58e77
6
reference_url https://github.com/rails/rails/commit/e91e4e8bbee12ce1496bf384c04da6be296b687a
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/e91e4e8bbee12ce1496bf384c04da6be296b687a
7
reference_url https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/7fbb5392d4d282b5?dmode=source&output=gplain
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-3465
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-3465
9
reference_url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=847200
reference_id 847200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=847200
11
reference_url https://github.com/advisories/GHSA-7g65-ghrg-hpf5
reference_id GHSA-7g65-ghrg-hpf5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7g65-ghrg-hpf5
12
reference_url https://access.redhat.com/errata/RHSA-2012:1542
reference_id RHSA-2012:1542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2012:1542
13
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-3465, GHSA-7g65-ghrg-hpf5, OSV-84513
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rgw4-mrr9-euda
91
url VCID-rzya-9py9-sqe7
vulnerability_id VCID-rzya-9py9-sqe7
summary 
Cross site scripting vulnerability in ActionView
There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers.  Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks.

### Impact

There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView.  These methods are used for escaping JavaScript string literals.  Impacted code will look something like this:

```erb
<script>let a = `<%= j unknown_input %>`</script>
```

or

```erb
<script>let a = `<%= escape_javascript unknown_input %>`</script>
```

### Releases

The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.

### Workarounds

For those that can't upgrade, the following monkey patch may be used:

```ruby
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
  {
    "`" => "\\`",
    "$" => "\\$"
  }
)

module ActionView::Helpers::JavaScriptHelper
  alias :old_ej :escape_javascript
  alias :old_j :j

  def escape_javascript(javascript)
    javascript = javascript.to_s
    if javascript.empty?
      result = ""
    else
      result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
    end
    javascript.html_safe? ? result.html_safe : result
  end

  alias :j :escape_javascript
end
```

### Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series
* [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series

Please note that only the 5.2 and 6.0 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

### Credits

Thanks to Jesse Campos from Chef Secure
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5267.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5267.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5267
reference_id
reference_type
scores
0
value 0.00887
scoring_system epss
scoring_elements 0.75792
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5267
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5267
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a
6
reference_url https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-5267.yml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-5267.yml
8
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
9
reference_url https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5267
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5267
13
reference_url http://www.openwall.com/lists/oss-security/2020/03/19/1
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2020/03/19/1
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1831528
reference_id 1831528
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1831528
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
reference_id 954304
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954304
16
reference_url https://github.com/advisories/GHSA-65cv-r6x7-79hv
reference_id GHSA-65cv-r6x7-79hv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-65cv-r6x7-79hv
17
reference_url https://access.redhat.com/errata/RHSA-2020:4366
reference_id RHSA-2020:4366
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4366
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.1%2Bdfsg-2?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.1%2Bdfsg-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.1%252Bdfsg-2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-5267, GHSA-65cv-r6x7-79hv
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rzya-9py9-sqe7
92
url VCID-seud-h84p-uugv
vulnerability_id VCID-seud-h84p-uugv
summary 
SQL Injection in Active Record
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
references
0
reference_url http://openwall.com/lists/oss-security/2014/07/02/5
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/07/02/5
1
reference_url http://rhn.redhat.com/errata/RHSA-2014-0876.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0876.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3482.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3482.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-3482
reference_id
reference_type
scores
0
value 0.01531
scoring_system epss
scoring_elements 0.81615
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-3482
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b
8
reference_url https://groups.google.com/g/rubyonrails-security/c/wDxePLJGZdI
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/wDxePLJGZdI
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-3482
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-3482
10
reference_url http://www.debian.org/security/2014/dsa-2982
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2982
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1114425
reference_id 1114425
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1114425
12
reference_url https://github.com/advisories/GHSA-mhwp-qhpc-h3jm
reference_id GHSA-mhwp-qhpc-h3jm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhwp-qhpc-h3jm
13
reference_url https://access.redhat.com/errata/RHSA-2014:0876
reference_id RHSA-2014:0876
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0876
fixed_packages
0
url pkg:deb/debian/rails@2:4.1.4-1?distro=trixie
purl pkg:deb/debian/rails@2:4.1.4-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.4-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-3482, GHSA-mhwp-qhpc-h3jm, OSV-108664
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-seud-h84p-uugv
93
url VCID-sg9h-7dqr-xugu
vulnerability_id VCID-sg9h-7dqr-xugu
summary 
actionpack vulnerable to Path Traversal
Directory traversal vulnerability in `actionpack/lib/action_dispatch/middleware/static.rb` in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when `serve_static_assets` is enabled, allows remote attackers to determine the existence of files outside the application root via a `/..%2F` sequence.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7818.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7818.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-7818
reference_id
reference_type
scores
0
value 0.0022
scoring_system epss
scoring_elements 0.44666
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-7818
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818
4
reference_url https://github.com/advisories/GHSA-29gr-w57f-rpfw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-29gr-w57f-rpfw
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7818.yml
6
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
7
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-7818
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-7818
9
reference_url https://puppet.com/security/cve/cve-2014-7829
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2014-7829
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1161499
reference_id 1161499
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1161499
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934
reference_id 770934
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934
fixed_packages
0
url pkg:deb/debian/rails@2:4.1.8-1?distro=trixie
purl pkg:deb/debian/rails@2:4.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.8-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-7818, GHSA-29gr-w57f-rpfw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sg9h-7dqr-xugu
94
url VCID-tjcm-cvtx-jbgt
vulnerability_id VCID-tjcm-cvtx-jbgt
summary 
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```
Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
  
Impact
------
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
-----------
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the `raw` argument should be double-checked to ensure that they conform to the expected format.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
reference_id
reference_type
scores
0
value 0.90128
scoring_system epss
scoring_elements 0.99603
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8165
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
12
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
13
reference_url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
14
reference_url https://hackerone.com/reports/413388
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/413388
15
reference_url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
16
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8165
18
reference_url https://security.netapp.com/advisory/ntap-20250509-0002
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250509-0002
19
reference_url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
20
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
reference_id 1843072
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843072
22
reference_url https://github.com/advisories/GHSA-2p68-f74v-9wc6
reference_id GHSA-2p68-f74v-9wc6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2p68-f74v-9wc6
23
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8165, GHSA-2p68-f74v-9wc6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tjcm-cvtx-jbgt
95
url VCID-u1sg-z8t6-audk
vulnerability_id VCID-u1sg-z8t6-audk
summary 
Active Record contains SQL Injection via improper range quoting
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging improper range quoting.
references
0
reference_url http://openwall.com/lists/oss-security/2014/07/02/5
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/07/02/5
1
reference_url http://rhn.redhat.com/errata/RHSA-2014-0877.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0877.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3483.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3483.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-3483
reference_id
reference_type
scores
0
value 0.00924
scoring_system epss
scoring_elements 0.76341
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-3483
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3483.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2014-3483.yml
7
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
8
reference_url https://groups.google.com/forum/#!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
reference_id
reference_type
scores
url https://groups.google.com/forum/#!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
9
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/8GtfeYd6qI4
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/8GtfeYd6qI4
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-3483
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-3483
11
reference_url https://web.archive.org/web/20200228150648/http://www.securityfocus.com/bid/68341
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228150648/http://www.securityfocus.com/bid/68341
12
reference_url http://www.debian.org/security/2014/dsa-2982
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2014/dsa-2982
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1114427
reference_id 1114427
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1114427
14
reference_url https://github.com/advisories/GHSA-r8fh-hq2p-7qhq
reference_id GHSA-r8fh-hq2p-7qhq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r8fh-hq2p-7qhq
15
reference_url https://access.redhat.com/errata/RHSA-2014:0877
reference_id RHSA-2014:0877
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0877
fixed_packages
0
url pkg:deb/debian/rails@2:4.1.4-1?distro=trixie
purl pkg:deb/debian/rails@2:4.1.4-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.4-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-3483, GHSA-r8fh-hq2p-7qhq, OSV-108665
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u1sg-z8t6-audk
96
url VCID-u8xd-qhpd-3uf9
vulnerability_id VCID-u8xd-qhpd-3uf9
summary rubygem-activestorage: Code injection vulnerability in ActiveStorage
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21831.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21831.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-21831
reference_id
reference_type
scores
0
value 0.0142
scoring_system epss
scoring_elements 0.80898
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-21831
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
13
reference_url https://github.com/advisories/GHSA-w749-p3v6-hccq
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-w749-p3v6-hccq
14
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
15
reference_url https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2022-21831.yml
17
reference_url https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
18
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-21831
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-21831
20
reference_url https://rubysec.com/advisories/CVE-2022-21831
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://rubysec.com/advisories/CVE-2022-21831
21
reference_url https://security.netapp.com/advisory/ntap-20221118-0001
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221118-0001
22
reference_url https://security.netapp.com/advisory/ntap-20221118-0001/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20221118-0001/
23
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011940
reference_id 1011940
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011940
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2064747
reference_id 2064747
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2064747
26
reference_url https://rubysec.com/advisories/CVE-2022-21831/
reference_id CVE-2022-21831
reference_type
scores
url https://rubysec.com/advisories/CVE-2022-21831/
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.4.7%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.4.7%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.4.7%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2022-21831, GHSA-w749-p3v6-hccq, GMS-2022-301
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u8xd-qhpd-3uf9
97
url VCID-uppk-66vw-gbb9
vulnerability_id VCID-uppk-66vw-gbb9
summary 
Cross-site scripting in actionpack
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Workarounds
-----------
Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: `config.middleware.delete ActionDispatch::ActionableExceptions`
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8264
reference_id
reference_type
scores
0
value 0.00346
scoring_system epss
scoring_elements 0.57369
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8264
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
3
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml
4
reference_url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk
5
reference_url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
6
reference_url https://hackerone.com/reports/904059
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/904059
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8264
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8264
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1886554
reference_id 1886554
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1886554
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
reference_id 971988
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.4%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.4%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.4%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8264, GHSA-35mm-cc6r-8fjp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uppk-66vw-gbb9
98
url VCID-usyz-95tu-hyca
vulnerability_id VCID-usyz-95tu-hyca
summary 
Remote code execution via user-provided local names in ActionView
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
references
0
reference_url http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/158604/Ruby-On-Rails-5.0.1-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8163.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8163
reference_id
reference_type
scores
0
value 0.91071
scoring_system epss
scoring_elements 0.99657
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8163
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8163
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8163.yml
6
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
7
reference_url https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0
8
reference_url https://hackerone.com/reports/304805
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/304805
9
reference_url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8163
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8163
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1848724
reference_id 1848724
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1848724
12
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb
reference_id CVE-2020-8163
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/ruby/webapps/48716.rb
13
reference_url https://github.com/advisories/GHSA-cr3x-7m39-c6jq
reference_id GHSA-cr3x-7m39-c6jq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cr3x-7m39-c6jq
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.0%2Bdfsg-2?distro=trixie
purl pkg:deb/debian/rails@2:5.2.0%2Bdfsg-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.0%252Bdfsg-2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8163, GHSA-cr3x-7m39-c6jq
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-usyz-95tu-hyca
99
url VCID-v2hk-dfbe-5khc
vulnerability_id VCID-v2hk-dfbe-5khc
summary 
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.

Versions Affected:  >= 7.1.0, < 7.1.3.1
Not affected:       < 7.1.0
Fixed Versions:     7.1.3.1

Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability.  All users running an affected release should either upgrade or
use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 7-1-accept-redox.patch - Patch for 7.1 series

Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26142
reference_id
reference_type
scores
0
value 0.03542
scoring_system epss
scoring_elements 0.87875
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26142
2
reference_url https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
6
reference_url https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26142
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26142
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2266324
reference_id 2266324
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2266324
10
reference_url https://github.com/advisories/GHSA-jjhx-jhvp-74wq
reference_id GHSA-jjhx-jhvp-74wq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jjhx-jhvp-74wq
11
reference_url https://security.netapp.com/advisory/ntap-20240503-0003/
reference_id ntap-20240503-0003
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/
url https://security.netapp.com/advisory/ntap-20240503-0003/
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2024-26142, GHSA-jjhx-jhvp-74wq
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v2hk-dfbe-5khc
100
url VCID-v3u5-6bpb-qfgf
vulnerability_id VCID-v3u5-6bpb-qfgf
summary Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7829.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7829.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-7829
reference_id
reference_type
scores
0
value 0.00265
scoring_system epss
scoring_elements 0.50107
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-7829
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829
4
reference_url https://github.com/advisories/GHSA-h56m-vwxc-3qpw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-h56m-vwxc-3qpw
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-7829.yml
6
reference_url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ
7
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-7829
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-7829
9
reference_url https://puppet.com/security/cve/cve-2014-7829
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://puppet.com/security/cve/cve-2014-7829
10
reference_url https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160403085126/http://www.securityfocus.com/bid/71183
11
reference_url http://weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2014/11/19/Rails-4-0-11-1-and-4-1-7-1-have-been-released/
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1164659
reference_id 1164659
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1164659
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934
reference_id 770934
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770934
fixed_packages
0
url pkg:deb/debian/rails@2:4.1.8-1?distro=trixie
purl pkg:deb/debian/rails@2:4.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.1.8-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-7829, GHSA-h56m-vwxc-3qpw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v3u5-6bpb-qfgf
101
url VCID-vhjv-9864-tbcs
vulnerability_id VCID-vhjv-9864-tbcs
summary 
actionpack Cross-site Scripting vulnerability
The sanitize helper in `lib/action_controller/vendor/html-scanner/html/sanitizer.rb` in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded `:` (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a `&#x3a;` sequence.
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00072.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-04/msg00073.html
2
reference_url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2013-0698.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0698.html
4
reference_url http://rhn.redhat.com/errata/RHSA-2014-1863.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-1863.html
5
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1857.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1857.json
6
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1857
reference_id
reference_type
scores
0
value 0.00625
scoring_system epss
scoring_elements 0.7051
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1857
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857
8
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
9
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI
10
reference_url https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/78b9817a5943f6d6?dmode=source&output=gplain
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1857
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1857
12
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
13
reference_url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
14
reference_url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
15
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
16
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=921335
reference_id 921335
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=921335
18
reference_url https://github.com/advisories/GHSA-j838-vfpq-fmf2
reference_id GHSA-j838-vfpq-fmf2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j838-vfpq-fmf2
19
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-1857, GHSA-j838-vfpq-fmf2, OSV-91454
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vhjv-9864-tbcs
102
url VCID-vs1a-m7ya-rue8
vulnerability_id VCID-vs1a-m7ya-rue8
summary 
Rails vulnerable to Cross-site Scripting
There is an XSS vulnerability in the `number_to_currency`, `number_to_percentage` and `number_to_human` helpers in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0081.

Versions Affected:  All.
Fixed Versions:     4.1.0.beta2, 4.0.3, 3.2.17.

Impact
------
These helpers allows users to nicely format a numeric value. Some of the parameters to the helper (format, negative_format and units) are not escaped correctly. Applications which pass user controlled data as one of these parameters are vulnerable to an XSS attack.

All users passing user controlled data to these parameters of the number helpers should either upgrade or use one of the workarounds immediately.

Releases
--------
The 4.1.0.rc1, 4.0.3 and 3.2.17 releases are available at the normal locations.

Workarounds
-----------

The workaround for this issue is to escape the value passed to the parameter.
For example, replace code like this:

```ruby
<%= number_to_currency(1.02, format: params[:format]) %>
```

With code like this

```ruby
<%= number_to_currency(1.02, format: h(params[:format])) %>
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 4-1-beta-number_helpers_xss.patch - Patch for 4.1-beta series
* 4-0-number_helpers_xss.patch - Patch for 4.0 series
* 3-2-number_helpers_xss.patch - Patch for 3.2 series

Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------

Thanks to Kevin Reintjes for reporting the issue to us.

-- 
Aaron Patterson
http://tenderlovemaking.com/
references
0
reference_url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
1
reference_url http://openwall.com/lists/oss-security/2014/02/18/8
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2014/02/18/8
2
reference_url http://rhn.redhat.com/errata/RHSA-2014-0215.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0215.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2014-0306.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2014-0306.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0081.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2014-0081
reference_id
reference_type
scores
0
value 0.00885
scoring_system epss
scoring_elements 0.75766
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2014-0081
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2014-0081.yml
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2014-0081.yml
13
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2014-0081
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2014-0081
15
reference_url https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782
16
reference_url https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647
17
reference_url https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201207045136/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1065520
reference_id 1065520
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1065520
19
reference_url https://github.com/advisories/GHSA-m46p-ggm5-5j83
reference_id GHSA-m46p-ggm5-5j83
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m46p-ggm5-5j83
20
reference_url https://access.redhat.com/errata/RHSA-2014:0215
reference_id RHSA-2014:0215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0215
21
reference_url https://access.redhat.com/errata/RHSA-2014:0306
reference_id RHSA-2014:0306
reference_type
scores
url https://access.redhat.com/errata/RHSA-2014:0306
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2014-0081, GHSA-m46p-ggm5-5j83, OSV-103439
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vs1a-m7ya-rue8
103
url VCID-vta6-rneu-jbgg
vulnerability_id VCID-vta6-rneu-jbgg
summary 
ActiveRecord vulnerable to modification of protected model attributes
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the `attr_protected` protection mechanism and modify protected model attributes via a crafted request.
references
0
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
1
reference_url http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2013-0686.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0686.html
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0276.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0276.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-0276
reference_id
reference_type
scores
0
value 0.00606
scoring_system epss
scoring_elements 0.69976
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-0276
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0276.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-0276.yml
7
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8
8
reference_url https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source&output=gplain
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-0276
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-0276
10
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
11
reference_url https://web.archive.org/web/20130217055442/http://www.securityfocus.com/bid/57896
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130217055442/http://www.securityfocus.com/bid/57896
12
reference_url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released
13
reference_url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
14
reference_url http://www.debian.org/security/2013/dsa-2620
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2013/dsa-2620
15
reference_url http://www.openwall.com/lists/oss-security/2013/02/11/5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2013/02/11/5
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=909528
reference_id 909528
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=909528
17
reference_url https://github.com/advisories/GHSA-gr44-7grc-37vq
reference_id GHSA-gr44-7grc-37vq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gr44-7grc-37vq
18
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
19
reference_url https://access.redhat.com/errata/RHSA-2013:0686
reference_id RHSA-2013:0686
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0686
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-0276, GHSA-gr44-7grc-37vq, OSV-90072
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vta6-rneu-jbgg
104
url VCID-w8ez-zf1z-qubq
vulnerability_id VCID-w8ez-zf1z-qubq
summary 
Ruby on Rails vulnerable to code injection
Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with "severe" or "serious" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112.
references
0
reference_url http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2006-4111
reference_id
reference_type
scores
0
value 0.03984
scoring_system epss
scoring_elements 0.886
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2006-4111
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4111
3
reference_url https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2006-4111.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2006-4111
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2006-4111
7
reference_url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200301174340/http://www.securityfocus.com/bid/19454
8
reference_url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200808083046/http://securitytracker.com/id?1016673
9
reference_url http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
10
reference_url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
11
reference_url http://www.novell.com/linux/security/advisories/2006_21_sr.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.novell.com/linux/security/advisories/2006_21_sr.html
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
reference_id 382255
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382255
13
reference_url https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
reference_id GHSA-rvpq-5xqx-pfpp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rvpq-5xqx-pfpp
14
reference_url https://security.gentoo.org/glsa/200608-20
reference_id GLSA-200608-20
reference_type
scores
url https://security.gentoo.org/glsa/200608-20
fixed_packages
0
url pkg:deb/debian/rails@1.1.5-1?distro=trixie
purl pkg:deb/debian/rails@1.1.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@1.1.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2006-4111, GHSA-rvpq-5xqx-pfpp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w8ez-zf1z-qubq
105
url VCID-whvz-g2g9-auek
vulnerability_id VCID-whvz-g2g9-auek
summary 
SQL Injection Vulnerability via ActiveRecord comments
There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1
Impact

Previously the implementation of escaping for comments was insufficient for

If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database with insufficient sanitization and be able to inject SQL outside of the comment.

In most cases these interfaces won’t be used with user input and users should avoid doing so.

Example vulnerable code:
```
Post.where(id: 1).annotate("#{params[:user_input]}")

Post.where(id: 1).optimizer_hints("#{params[:user_input]}")
```
Example vulnerable QueryLogs configuration (the default configuration is not vulnerable):
```
config.active_record.query_log_tags = [
  {
    something: -> { <some value including user input> }
  }
]
```
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

Avoid passing user input to annotate and avoid using QueryLogs configuration which can include user input.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    6-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.0 series
    6-1-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 6.1 series
    7-0-Make-sanitize_as_sql_comment-more-strict.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22794.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22794.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22794
reference_id
reference_type
scores
0
value 0.05757
scoring_system epss
scoring_elements 0.90593
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22794
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
12
reference_url https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
13
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
14
reference_url https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de
15
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
16
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2023-22794.yml
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22794
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22794
18
reference_url https://security.netapp.com/advisory/ntap-20240202-0008
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240202-0008
19
reference_url https://www.debian.org/security/2023/dsa-5372
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5372
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id 1030050
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164785
reference_id 2164785
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164785
22
reference_url https://github.com/advisories/GHSA-hq7p-j377-6v63
reference_id GHSA-hq7p-j377-6v63
reference_type
scores
url https://github.com/advisories/GHSA-hq7p-j377-6v63
23
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.3%252Bdfsg-1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-22794, GHSA-hq7p-j377-6v63, GMS-2023-60
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-whvz-g2g9-auek
106
url VCID-wm9p-z4n1-t7cs
vulnerability_id VCID-wm9p-z4n1-t7cs
summary 
CSRF Vulnerability in rails-ujs
There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.

Versions Affected:  rails <= 6.0.3
Not affected:       Applications which don't use rails-ujs.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.

Workarounds
-----------

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

    link_to params

to code like this:

    link_to filtered_params

    def filtered_params
      # Filter just the parameters that you trust
    end
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8167.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
reference_id
reference_type
scores
0
value 0.00427
scoring_system epss
scoring_elements 0.62685
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8167
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
8
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-8167.yml
10
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
11
reference_url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/x9DixQDG9a0
12
reference_url https://hackerone.com/reports/189878
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/189878
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8167
14
reference_url https://www.debian.org/security/2020/dsa-4766
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2020/dsa-4766
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
reference_id 1843084
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1843084
16
reference_url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
reference_id GHSA-xq5j-gw7f-jgj8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xq5j-gw7f-jgj8
17
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.4.3%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.4.3%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8167, GHSA-xq5j-gw7f-jgj8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wm9p-z4n1-t7cs
107
url VCID-wz1m-798r-8yez
vulnerability_id VCID-wz1m-798r-8yez
summary 
Rails ActiveRecord gem vulnerable to SQL injection
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) `:limit` and (2) `:offset` parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
references
0
reference_url http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
reference_id
reference_type
scores
url http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
1
reference_url http://gist.github.com/8946
reference_id
reference_type
scores
url http://gist.github.com/8946
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
3
reference_url http://rails.lighthouseapp.com/projects/8994/tickets/288
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rails.lighthouseapp.com/projects/8994/tickets/288
4
reference_url http://rails.lighthouseapp.com/projects/8994/tickets/964
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rails.lighthouseapp.com/projects/8994/tickets/964
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2008-4094
reference_id
reference_type
scores
0
value 0.03119
scoring_system epss
scoring_elements 0.87063
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2008-4094
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094
7
reference_url http://secunia.com/advisories/31875
reference_id
reference_type
scores
url http://secunia.com/advisories/31875
8
reference_url http://secunia.com/advisories/31909
reference_id
reference_type
scores
url http://secunia.com/advisories/31909
9
reference_url http://secunia.com/advisories/31910
reference_id
reference_type
scores
url http://secunia.com/advisories/31910
10
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
11
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
12
reference_url https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/ef0ea782b1f5cf7b08e74ea3002a16c708f66645
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2008-4094.yml
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2008-4094
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2008-4094
15
reference_url https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20080620000955/http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
16
reference_url https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20080620201733/http://blog.innerewut.de/files/rails/activerecord-1.15.3.patch
17
reference_url https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20080620201744/http://blog.innerewut.de/files/rails/activerecord-2.0.2.patch
18
reference_url https://web.archive.org/web/20081104151751/http://gist.github.com/8946
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20081104151751/http://gist.github.com/8946
19
reference_url https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875
20
reference_url https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/
reference_id
reference_type
scores
url https://web.archive.org/web/20081113122736/http://secunia.com/advisories/31875/
21
reference_url https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20081207211431/http://secunia.com/advisories/31909
22
reference_url https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20081207211436/http://secunia.com/advisories/31910
23
reference_url https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20091101000000*/http://www.vupen.com/english/advisories/2008/2562
24
reference_url https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20120120194518/http://www.securityfocus.com/bid/31176
25
reference_url https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201207112829/http://www.securitytracker.com/id?1020871
26
reference_url http://www.openwall.com/lists/oss-security/2008/09/13/2
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2008/09/13/2
27
reference_url http://www.openwall.com/lists/oss-security/2008/09/16/1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2008/09/16/1
28
reference_url http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter
29
reference_url http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
reference_id
reference_type
scores
url http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
30
reference_url http://www.securityfocus.com/bid/31176
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/31176
31
reference_url http://www.securitytracker.com/id?1020871
reference_id
reference_type
scores
url http://www.securitytracker.com/id?1020871
32
reference_url http://www.vupen.com/english/advisories/2008/2562
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2008/2562
33
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500791
reference_id 500791
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500791
34
reference_url https://github.com/advisories/GHSA-xf96-32q2-9rw2
reference_id GHSA-xf96-32q2-9rw2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xf96-32q2-9rw2
35
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.1.0-1?distro=trixie
purl pkg:deb/debian/rails@2.1.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.1.0-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2008-4094, GHSA-xf96-32q2-9rw2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wz1m-798r-8yez
108
url VCID-x7p8-bnqg-wbca
vulnerability_id VCID-x7p8-bnqg-wbca
summary 
rails vulnerable to improper authentication
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
references
0
reference_url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
1
reference_url http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2422.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2422.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2009-2422
reference_id
reference_type
scores
0
value 0.00403
scoring_system epss
scoring_elements 0.61162
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2009-2422
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
5
reference_url http://secunia.com/advisories/35702
reference_id
reference_type
scores
url http://secunia.com/advisories/35702
6
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2009-2422
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2009-2422
9
reference_url http://support.apple.com/kb/HT4077
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT4077
10
reference_url https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
11
reference_url https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
12
reference_url http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
13
reference_url http://www.securityfocus.com/bid/35579
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/35579
14
reference_url http://www.vupen.com/english/advisories/2009/1802
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2009/1802
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=509564
reference_id 509564
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=509564
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535896
reference_id 535896
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535896
17
reference_url https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
reference_id GHSA-rxq3-gm4p-5fj4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
18
reference_url https://security.gentoo.org/glsa/200912-02
reference_id GLSA-200912-02
reference_type
scores
url https://security.gentoo.org/glsa/200912-02
fixed_packages
0
url pkg:deb/debian/rails@2.3.5-1?distro=trixie
purl pkg:deb/debian/rails@2.3.5-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.5-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2009-2422, GHSA-rxq3-gm4p-5fj4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x7p8-bnqg-wbca
109
url VCID-xej7-nkc8-dkez
vulnerability_id VCID-xej7-nkc8-dkez
summary 
Active Record contains SQL Injection
SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
references
0
reference_url http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
1
reference_url http://rhn.redhat.com/errata/RHSA-2013-0154.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0154.html
2
reference_url http://rhn.redhat.com/errata/RHSA-2013-0220.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0220.html
3
reference_url http://rhn.redhat.com/errata/RHSA-2013-0544.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2013-0544.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6496.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6496.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2012-6496
reference_id
reference_type
scores
0
value 0.01017
scoring_system epss
scoring_elements 0.77474
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2012-6496
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=889649
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=889649
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496
8
reference_url http://security.gentoo.org/glsa/glsa-201401-22.xml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://security.gentoo.org/glsa/glsa-201401-22.xml
9
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
10
reference_url https://github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/9de9b359d0d24f70f0f6c5c58a7ad8750684d456
11
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
12
reference_url https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2012-6496
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2012-6496
14
reference_url https://github.com/advisories/GHSA-gh2w-j7cx-2664
reference_id GHSA-gh2w-j7cx-2664
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gh2w-j7cx-2664
15
reference_url https://security.gentoo.org/glsa/201401-22
reference_id GLSA-201401-22
reference_type
scores
url https://security.gentoo.org/glsa/201401-22
16
reference_url https://access.redhat.com/errata/RHSA-2013:0154
reference_id RHSA-2013:0154
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0154
17
reference_url https://access.redhat.com/errata/RHSA-2013:0155
reference_id RHSA-2013:0155
reference_type
scores
url https://access.redhat.com/errata/RHSA-2013:0155
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2012-6496, GHSA-gh2w-j7cx-2664, OSV-88661
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xej7-nkc8-dkez
110
url VCID-xk44-a7b6-n7gd
vulnerability_id VCID-xk44-a7b6-n7gd
summary activestorage: Code injection in Active Storage when used in conjunction with the image_processing gem
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24293.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-24293
reference_id
reference_type
scores
0
value 0.00209
scoring_system epss
scoring_elements 0.43294
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-24293
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24293
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/advisories/GHSA-r4mg-4433-c7g3
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-02T14:45:32Z/
url https://github.com/advisories/GHSA-r4mg-4433-c7g3
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354
7
reference_url https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2d612735ac0d9712fdfffaf80afa627e7295f6ce
8
reference_url https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/fb8f3a18c3d97524c0efc29150d1e5f3162fbb13
9
reference_url https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2025-24293.yml
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-24293
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-24293
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2435565
reference_id 2435565
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2435565
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u4?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u4?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u4%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2025-24293, GHSA-r4mg-4433-c7g3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xk44-a7b6-n7gd
111
url VCID-xkt5-d1x6-nbdx
vulnerability_id VCID-xkt5-d1x6-nbdx
summary 
Improper Access Control in activejob
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
references
0
reference_url https://access.redhat.com/errata/RHSA-2019:0600
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2019:0600
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16476.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16476.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-16476
reference_id
reference_type
scores
0
value 0.00791
scoring_system epss
scoring_elements 0.74189
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-16476
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16476
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16476
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
8
reference_url https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
9
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-16476
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-16476
11
reference_url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released
12
reference_url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
reference_id
reference_type
scores
url https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1659223
reference_id 1659223
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1659223
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914847
reference_id 914847
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914847
15
reference_url https://github.com/advisories/GHSA-q2qw-rmrh-vv42
reference_id GHSA-q2qw-rmrh-vv42
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2qw-rmrh-vv42
fixed_packages
0
url pkg:deb/debian/rails@2:5.2.2%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:5.2.2%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:5.2.2%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2018-16476, GHSA-q2qw-rmrh-vv42
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkt5-d1x6-nbdx
112
url VCID-xmwx-eqjn-pba9
vulnerability_id VCID-xmwx-eqjn-pba9
summary 
Rails activerecord gem has Improper Input Validation vulnerability
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2010-3933
reference_id
reference_type
scores
0
value 0.00712
scoring_system epss
scoring_elements 0.72613
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2010-3933
1
reference_url http://secunia.com/advisories/41930
reference_id
reference_type
scores
url http://secunia.com/advisories/41930
2
reference_url http://securitytracker.com/id?1024624
reference_id
reference_type
scores
url http://securitytracker.com/id?1024624
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889ae
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/2d96bccb1e8b62e3e11ca0c5d38aaa8cece889ae
5
reference_url https://github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/96183e0f284bab27667e5a38fa6a1578eb029585
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2010-3933.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2010-3933
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2010-3933
8
reference_url https://web.archive.org/web/20101129225633/http://securitytracker.com/alerts/2010/Oct/1024624.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20101129225633/http://securitytracker.com/alerts/2010/Oct/1024624.html
9
reference_url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930
10
reference_url https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624
11
reference_url http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0
12
reference_url http://www.vupen.com/english/advisories/2010/2719
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2010/2719
13
reference_url https://github.com/advisories/GHSA-gjxw-5w2q-7grf
reference_id GHSA-gjxw-5w2q-7grf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gjxw-5w2q-7grf
14
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2010-3933, GHSA-gjxw-5w2q-7grf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xmwx-eqjn-pba9
113
url VCID-xnj2-tbzn-tff6
vulnerability_id VCID-xnj2-tbzn-tff6
summary activerecord: Active Record ANSI Injection Vulnerability
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55193.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55193.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55193
reference_id
reference_type
scores
0
value 0.00319
scoring_system epss
scoring_elements 0.55181
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55193
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55193
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55193
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290
6
reference_url https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/568c0bc2f1e74c65d150a84b89a080949bf9eb9b
7
reference_url https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/commit/6a944ca4805e72050a0fbb1a461534eb760d3202
8
reference_url https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:42:07Z/
url https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2025-55193.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55193
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55193
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106
reference_id 1111106
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2388446
reference_id 2388446
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2388446
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u4?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u4?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u4%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2025-55193, GHSA-76r7-hhxj-r776
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xnj2-tbzn-tff6
114
url VCID-y13c-awe3-2bc1
vulnerability_id VCID-y13c-awe3-2bc1
summary 
actionpack is vulnerable to remote bypass authentication
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
references
0
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
2
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
3
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
4
reference_url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
5
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
6
reference_url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
7
reference_url http://rhn.redhat.com/errata/RHSA-2016-0296.html
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://rhn.redhat.com/errata/RHSA-2016-0296.html
8
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7576.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7576.json
9
reference_url https://api.first.org/data/v1/epss?cve=CVE-2015-7576
reference_id
reference_type
scores
0
value 0.01119
scoring_system epss
scoring_elements 0.78538
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2015-7576
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752
17
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753
18
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
19
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
20
reference_url https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbd
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbd
21
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7576.yml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7576.yml
22
reference_url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ
23
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements
1
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
24
reference_url https://nvd.nist.gov/vuln/detail/CVE-2015-7576
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2015-7576
25
reference_url https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816
26
reference_url https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81803
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81803
27
reference_url http://www.debian.org/security/2016/dsa-3464
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3464
28
reference_url http://www.openwall.com/lists/oss-security/2016/01/25/8
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/01/25/8
29
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1301933
reference_id 1301933
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1301933
30
reference_url https://github.com/advisories/GHSA-p692-7mm3-3fxg
reference_id GHSA-p692-7mm3-3fxg
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p692-7mm3-3fxg
31
reference_url https://access.redhat.com/errata/RHSA-2016:0296
reference_id RHSA-2016:0296
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0296
32
reference_url https://access.redhat.com/errata/RHSA-2016:0454
reference_id RHSA-2016:0454
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0454
33
reference_url https://access.redhat.com/errata/RHSA-2016:0455
reference_id RHSA-2016:0455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2016:0455
fixed_packages
0
url pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
purl pkg:deb/debian/rails@2:4.2.5.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:4.2.5.1-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2015-7576, GHSA-p692-7mm3-3fxg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y13c-awe3-2bc1
115
url VCID-y922-r53a-rke5
vulnerability_id VCID-y922-r53a-rke5
summary 
activerecord vulnerable to SQL Injection
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/4e19864cf6ad40ad?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-0448
reference_id
reference_type
scores
0
value 0.00689
scoring_system epss
scoring_elements 0.72088
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-0448
3
reference_url http://secunia.com/advisories/43278
reference_id
reference_type
scores
url http://secunia.com/advisories/43278
4
reference_url http://securitytracker.com/id?1025063
reference_id
reference_type
scores
url http://securitytracker.com/id?1025063
5
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
6
reference_url https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/354da43ab0a10b3b7b3f9cb0619aa562c3be8474
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2011-0448.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-0448
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-0448
9
reference_url https://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201220214809/http://securitytracker.com/id?1025063
10
reference_url http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
11
reference_url http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0877
12
reference_url https://github.com/advisories/GHSA-jmm9-2p29-vh2w
reference_id GHSA-jmm9-2p29-vh2w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jmm9-2p29-vh2w
13
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-0448, GHSA-jmm9-2p29-vh2w
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y922-r53a-rke5
116
url VCID-yu7a-v8cu-gya3
vulnerability_id VCID-yu7a-v8cu-gya3
summary 
Information disclosure issue in Active Resource
There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-8151
reference_id
reference_type
scores
0
value 0.00286
scoring_system epss
scoring_elements 0.52312
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-8151
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/rails/activeresource
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/activeresource
3
reference_url https://github.com/rails/activeresource/commit/0de18f7e96fa90bbf23b16ac11980bc2cb6a716e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/activeresource/commit/0de18f7e96fa90bbf23b16ac11980bc2cb6a716e
4
reference_url https://github.com/rails/rails/commit/0e969bdaf8ff2e3384350687aa0b583f94d6dfbc
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/0e969bdaf8ff2e3384350687aa0b583f94d6dfbc
5
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P7B7A4H22DZ522HLDS3JX3NX2CXIOZSR
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-8151
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-8151
8
reference_url https://github.com/advisories/GHSA-46j2-xjgp-jrfm
reference_id GHSA-46j2-xjgp-jrfm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-46j2-xjgp-jrfm
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2020-8151, GHSA-46j2-xjgp-jrfm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu7a-v8cu-gya3
117
url VCID-z16b-zfgu-13a9
vulnerability_id VCID-z16b-zfgu-13a9
summary rails: Possible DoS Vulnerability in Action Controller Token Authentication
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
reference_id
reference_type
scores
0
value 0.03338
scoring_system epss
scoring_elements 0.87506
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22904
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
5
reference_url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
8
reference_url https://github.com/rails/rails/releases/tag/v5.2.4.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.4.6
9
reference_url https://github.com/rails/rails/releases/tag/v5.2.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v5.2.6
10
reference_url https://github.com/rails/rails/releases/tag/v6.0.3.7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.0.3.7
11
reference_url https://github.com/rails/rails/releases/tag/v6.1.3.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v6.1.3.2
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
13
reference_url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
14
reference_url https://hackerone.com/reports/1101125
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1101125
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22904
16
reference_url https://security.netapp.com/advisory/ntap-20210805-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210805-0009
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id 1961379
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1961379
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id 988214
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
19
reference_url https://security.archlinux.org/AVG-1920
reference_id AVG-1920
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1920
20
reference_url https://security.archlinux.org/AVG-1921
reference_id AVG-1921
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1921
21
reference_url https://security.archlinux.org/AVG-2090
reference_id AVG-2090
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2090
22
reference_url https://security.archlinux.org/AVG-2223
reference_id AVG-2223
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2223
23
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z16b-zfgu-13a9
118
url VCID-z277-4dtj-zfbz
vulnerability_id VCID-z277-4dtj-zfbz
summary 
Open Redirect Vulnerability in Action Pack
There is a vulnerability in Action Controller’s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.

Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.0.4.1
Impact 

There is a possible open redirect when using the redirect_to helper with untrusted user input.

Vulnerable code will look like this:
```
redirect_to(params[:some_param])
```

Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    7-0-Fix-sec-issue-with-_url_host_allowed.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22797.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22797.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-22797
reference_id
reference_type
scores
0
value 0.00159
scoring_system epss
scoring_elements 0.36547
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-22797
2
reference_url https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:07:07Z/
url https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/releases/tag/v7.0.4.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.4.1
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.yml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-22797
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-22797
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164793
reference_id 2164793
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164793
9
reference_url https://github.com/advisories/GHSA-9445-4cr6-336r
reference_id GHSA-9445-4cr6-336r
reference_type
scores
url https://github.com/advisories/GHSA-9445-4cr6-336r
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-22797, GHSA-9445-4cr6-336r, GMS-2023-57
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z277-4dtj-zfbz
119
url VCID-z8t9-md9f-qfde
vulnerability_id VCID-z8t9-md9f-qfde
summary 
activesupport Improper Input Validation vulnerability
The `ActiveSupport::XmlMini_JDOM` backend in `lib/active_support/xml_mini/jdom.rb` in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
references
0
reference_url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
1
reference_url http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-1856
reference_id
reference_type
scores
0
value 0.00707
scoring_system epss
scoring_elements 0.7247
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-1856
3
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-1856.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-1856.yml
5
reference_url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI
reference_id
reference_type
scores
url https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI
6
reference_url https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-1856
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-1856
8
reference_url http://support.apple.com/kb/HT5784
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://support.apple.com/kb/HT5784
9
reference_url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
10
reference_url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
11
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
12
reference_url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
reference_id
reference_type
scores
url http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
13
reference_url http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1856
reference_id
reference_type
scores
url http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1856
14
reference_url http://www.openwall.com/lists/oss-security/2013/03/18/4
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2013/03/18/4
15
reference_url https://github.com/advisories/GHSA-9c2j-593q-3g82
reference_id GHSA-9c2j-593q-3g82
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c2j-593q-3g82
16
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-1856, GHSA-9c2j-593q-3g82, OSV-91451
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z8t9-md9f-qfde
120
url VCID-zapd-uts9-zfch
vulnerability_id VCID-zapd-uts9-zfch
summary 
actionpack allows remote attackers to bypass intended access restrictions
`actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters.
references
0
reference_url http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain
1
reference_url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2011-0449
reference_id
reference_type
scores
0
value 0.00555
scoring_system epss
scoring_elements 0.68408
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2011-0449
3
reference_url http://secunia.com/advisories/43278
reference_id
reference_type
scores
url http://secunia.com/advisories/43278
4
reference_url http://securitytracker.com/id?1025061
reference_id
reference_type
scores
url http://securitytracker.com/id?1025061
5
reference_url https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b
6
reference_url https://github.com/rails/rails/tree/main/actionpack
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/tree/main/actionpack
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-0449.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2011-0449
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2011-0449
9
reference_url https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20201207190612/http://securitytracker.com/id?1025061
10
reference_url http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
11
reference_url http://www.vupen.com/english/advisories/2011/0877
reference_id
reference_type
scores
url http://www.vupen.com/english/advisories/2011/0877
12
reference_url https://github.com/advisories/GHSA-4ww3-3rxj-8v6q
reference_id GHSA-4ww3-3rxj-8v6q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4ww3-3rxj-8v6q
13
reference_url https://security.gentoo.org/glsa/201412-28
reference_id GLSA-201412-28
reference_type
scores
url https://security.gentoo.org/glsa/201412-28
fixed_packages
0
url pkg:deb/debian/rails@0?distro=trixie
purl pkg:deb/debian/rails@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@0%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2011-0449, GHSA-4ww3-3rxj-8v6q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zapd-uts9-zfch
121
url VCID-zpzn-dbk4-juae
vulnerability_id VCID-zpzn-dbk4-juae
summary 
Active Support Possibly Discloses Locally Encrypted Files
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

# Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Releases
The fixed releases are available at the normal locations.

# Workarounds
To work around this issue, you can set your umask to be more restrictive like this:

```ruby
$ umask 0077
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.22043
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38037
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
3
reference_url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:35:42Z/
url https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
4
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
5
reference_url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
6
reference_url https://github.com/rails/rails/releases/tag/v7.0.7.1
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails/releases/tag/v7.0.7.1
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38037
9
reference_url https://security.netapp.com/advisory/ntap-20250214-0010
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250214-0010
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
reference_id 1051057
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
reference_id 2236261
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2236261
12
reference_url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
reference_id GHSA-cr5q-6q9f-rq6q
reference_type
scores
url https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
13
reference_url https://access.redhat.com/errata/RHSA-2023:7720
reference_id RHSA-2023:7720
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7720
14
reference_url https://access.redhat.com/errata/RHSA-2024:0268
reference_id RHSA-2024:0268
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0268
15
reference_url https://access.redhat.com/errata/RHSA-2024:2010
reference_id RHSA-2024:2010
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2010
fixed_packages
0
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.1%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
6
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2023-38037, GHSA-cr5q-6q9f-rq6q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zpzn-dbk4-juae
122
url VCID-zuwm-kmb2-23ay
vulnerability_id VCID-zuwm-kmb2-23ay
summary 
Active Record component in Ruby on Rails has a data-type injection vulnerability
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
references
0
reference_url http://openwall.com/lists/oss-security/2013/02/06/7
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2013/02/06/7
1
reference_url http://openwall.com/lists/oss-security/2013/04/24/7
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://openwall.com/lists/oss-security/2013/04/24/7
2
reference_url http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
3
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3221.json
reference_id
reference_type
scores
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3221.json
4
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-3221
reference_id
reference_type
scores
0
value 0.00483
scoring_system epss
scoring_elements 0.65482
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-3221
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221
6
reference_url https://github.com/rails/rails
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-3221.yml
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2013-3221.yml
8
reference_url https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-3221
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2013-3221
10
reference_url https://web.archive.org/web/20130825191249/http://www.phenoelit.org/blog/archives/2013/02/index.html
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20130825191249/http://www.phenoelit.org/blog/archives/2013/02/index.html
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=954365
reference_id 954365
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=954365
12
reference_url https://github.com/advisories/GHSA-f57c-hx33-hvh8
reference_id GHSA-f57c-hx33-hvh8
reference_type
scores
url https://github.com/advisories/GHSA-f57c-hx33-hvh8
fixed_packages
0
url pkg:deb/debian/rails@2.3.14.1?distro=trixie
purl pkg:deb/debian/rails@2.3.14.1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2.3.14.1%3Fdistro=trixie
1
url pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/rails@2:6.0.3.7%2Bdfsg-2%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie
2
url pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
purl pkg:deb/debian/rails@2:6.1.7.10%2Bdfsg-1~deb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.1.7.10%252Bdfsg-1~deb12u2%3Fdistro=trixie
3
url pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.2.2%2Bdfsg-2~deb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ghz-4sfg-2feh
1
vulnerability VCID-5bzk-rhe1-fqdc
2
vulnerability VCID-7zz5-k99f-v3f6
3
vulnerability VCID-f48b-ashx-53bg
4
vulnerability VCID-gbvf-y28h-kqax
5
vulnerability VCID-hdsb-jx4g-fqf6
6
vulnerability VCID-nwk7-sujd-nkc1
7
vulnerability VCID-urpb-uk1z-vqga
8
vulnerability VCID-v3mu-95kt-ufc6
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.2.2%252Bdfsg-2~deb13u1%3Fdistro=trixie
4
url pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/rails@2:7.2.3.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:7.2.3.1%252Bdfsg-1%3Fdistro=trixie
aliases CVE-2013-3221, GHSA-f57c-hx33-hvh8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zuwm-kmb2-23ay
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/rails@2:6.0.3.7%252Bdfsg-2%252Bdeb11u2%3Fdistro=trixie