| 0 |
| url |
VCID-123f-6px7-3qdg |
| vulnerability_id |
VCID-123f-6px7-3qdg |
| summary |
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a `..` (dot dot) in a pathname. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
http://rhn.redhat.com/errata/RHSA-2016-0296.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ |
|
|
| url |
http://rhn.redhat.com/errata/RHSA-2016-0296.html |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
| reference_url |
http://www.debian.org/security/2016/dsa-3464 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ |
|
|
| url |
http://www.debian.org/security/2016/dsa-3464 |
|
| 29 |
|
| 30 |
| reference_url |
http://www.securityfocus.com/bid/81801 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ |
|
|
| url |
http://www.securityfocus.com/bid/81801 |
|
| 31 |
| reference_url |
http://www.securitytracker.com/id/1034816 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-07T13:26:36Z/ |
|
|
| url |
http://www.securitytracker.com/id/1034816 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.22.1 |
| purl |
pkg:gem/actionpack@3.2.22.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 10 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 11 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 12 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 13 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 14 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 15 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 16 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 27 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 28 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 29 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.1 |
|
| 1 |
| url |
pkg:gem/actionpack@4.1.14.1 |
| purl |
pkg:gem/actionpack@4.1.14.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 26 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 27 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 28 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.1 |
|
| 2 |
| url |
pkg:gem/actionpack@4.2.5.1 |
| purl |
pkg:gem/actionpack@4.2.5.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 18 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 19 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 20 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 21 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 22 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 23 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 24 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 25 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 26 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 27 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.5.1 |
|
|
| aliases |
CVE-2016-0752, GHSA-xrr4-p6fq-hjg7
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-123f-6px7-3qdg |
|
| 1 |
| url |
VCID-1b9z-efz6-9fdu |
| vulnerability_id |
VCID-1b9z-efz6-9fdu |
| summary |
actionpack Improper Input Validation vulnerability
The template selection functionality in `actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.0 |
| purl |
pkg:gem/actionpack@3.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5a2t-fre4-zkay |
|
| 9 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 10 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 11 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 12 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 13 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 14 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 15 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 16 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 17 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 18 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 19 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 20 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 21 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 22 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 23 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 24 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 25 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 26 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 27 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 28 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 29 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 30 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 31 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 32 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 33 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 34 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 35 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 36 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 37 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 38 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 39 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 40 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 41 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 42 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 43 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 44 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 45 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 46 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.0 |
|
|
| aliases |
CVE-2011-2929, GHSA-r7q2-5gqg-6c7q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1b9z-efz6-9fdu |
|
| 2 |
| url |
VCID-3edd-m27s-a3ek |
| vulnerability_id |
VCID-3edd-m27s-a3ek |
| summary |
actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `['xyz', nil]` values, a related issue to CVE-2012-2660. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.6 |
| purl |
pkg:gem/actionpack@3.1.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 9 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 10 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 11 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 12 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 13 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 14 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 15 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 16 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 17 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 18 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 19 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 20 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 21 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 22 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 23 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 24 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 25 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 26 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 27 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 28 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 29 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 30 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 31 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 32 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 33 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 34 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 35 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 36 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 37 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 38 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 39 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 40 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 41 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 42 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 43 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 44 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 45 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.6 |
|
| 1 |
| url |
pkg:gem/actionpack@3.2.6 |
| purl |
pkg:gem/actionpack@3.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 9 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 10 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 11 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 12 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 13 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 14 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 15 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 16 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 17 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 18 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 19 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 20 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 21 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 22 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 23 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 24 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 25 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 26 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 27 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 28 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 29 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 30 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 31 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 32 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 33 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 34 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 35 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 36 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 37 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 38 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 39 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 40 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 41 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 42 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 43 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 44 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 45 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 46 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 47 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.6 |
|
|
| aliases |
CVE-2012-2694, GHSA-q34c-48gc-m9g8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3edd-m27s-a3ek |
|
| 3 |
| url |
VCID-3rn4-abmh-nkhv |
| vulnerability_id |
VCID-3rn4-abmh-nkhv |
| summary |
actionpack allows bypass of database-query restrictions
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.16 |
| purl |
pkg:gem/actionpack@3.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 20 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 21 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 22 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 23 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 24 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 25 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 26 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 27 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 28 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 29 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 30 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 31 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 32 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 33 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 34 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 35 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 36 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.2 |
| purl |
pkg:gem/actionpack@4.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2 |
|
|
| aliases |
CVE-2013-6417, GHSA-wpw7-wxjm-cw8r, OSV-100527
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3rn4-abmh-nkhv |
|
| 4 |
| url |
VCID-4w1v-z4zj-6ydp |
| vulnerability_id |
VCID-4w1v-z4zj-6ydp |
| summary |
Untrusted users can run pending migrations in production in Rails
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
This vulnerability has been assigned the CVE identifier CVE-2020-8185.
Versions Affected: 6.0.0 < rails < 6.0.3.2
Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)
Fixed Versions: rails >= 6.0.3.2
Impact
------
Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.
Workarounds
-----------
Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:
`config.middleware.delete ActionDispatch::ActionableExceptions` |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@6.0.3.2 |
| purl |
pkg:gem/actionpack@6.0.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ru-4qks-7yf3 |
|
| 1 |
| vulnerability |
VCID-4fyg-vxpj-c7d7 |
|
| 2 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 3 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 4 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 5 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 6 |
| vulnerability |
VCID-fdqs-v9b2-53gu |
|
| 7 |
| vulnerability |
VCID-fgtd-zx7r-rygb |
|
| 8 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 9 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 10 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 11 |
| vulnerability |
VCID-mgjg-juur-rfe5 |
|
| 12 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 13 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 14 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 15 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 16 |
| vulnerability |
VCID-uppk-66vw-gbb9 |
|
| 17 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 18 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.2 |
|
|
| aliases |
CVE-2020-8185, GHSA-c6qr-h5vq-59jc
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4w1v-z4zj-6ydp |
|
| 5 |
| url |
VCID-5pfg-7ntp-eff4 |
| vulnerability_id |
VCID-5pfg-7ntp-eff4 |
| summary |
Cross-site Scripting vulnerability in i18n translations helper method
Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.2 |
| purl |
pkg:gem/actionpack@3.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5a2t-fre4-zkay |
|
| 9 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 10 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 11 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 12 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 13 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 14 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 15 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 16 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 17 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 18 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 19 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 20 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 21 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 22 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 23 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 24 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 25 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 26 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 27 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 28 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 29 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 30 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 31 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 32 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 33 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 34 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 35 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 36 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 37 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 38 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 39 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 40 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 41 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 42 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 43 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 44 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 45 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 46 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.2 |
|
|
| aliases |
CVE-2011-4319, GHSA-xxr8-833v-c7wc, OSV-77199
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5pfg-7ntp-eff4 |
|
| 6 |
| url |
VCID-5psk-hzaf-1kbz |
| vulnerability_id |
VCID-5psk-hzaf-1kbz |
| summary |
actionpack vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/translation_helper.rb` in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.16 |
| purl |
pkg:gem/actionpack@3.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 20 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 21 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 22 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 23 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 24 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 25 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 26 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 27 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 28 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 29 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 30 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 31 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 32 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 33 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 34 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 35 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 36 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.2 |
| purl |
pkg:gem/actionpack@4.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2 |
|
|
| aliases |
CVE-2013-4491, GHSA-699m-mcjm-9cw8, OSV-100528
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5psk-hzaf-1kbz |
|
| 7 |
| url |
VCID-6z21-pd9d-pfgk |
| vulnerability_id |
VCID-6z21-pd9d-pfgk |
| summary |
Possible Strong Parameters Bypass in ActionPack
There is a strong parameters bypass vector in ActionPack.
Versions Affected: rails <= 6.0.3
Not affected: rails < 5.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
------
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of `each`, or `each_value`,
or `each_pair` will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
```
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
```
Note the mistaken use of `each` in the `clean_up_params` method in the above
example.
Workarounds
-----------
Do not use the return values of `each`, `each_value`, or `each_pair` in your
application. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@5.2.4.3 |
| purl |
pkg:gem/actionpack@5.2.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4fyg-vxpj-c7d7 |
|
| 1 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 2 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 3 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 4 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 5 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 6 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 7 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 8 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 9 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 10 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 11 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 12 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 13 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 14 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.3 |
|
| 1 |
| url |
pkg:gem/actionpack@6.0.3.1 |
| purl |
pkg:gem/actionpack@6.0.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-25ru-4qks-7yf3 |
|
| 1 |
| vulnerability |
VCID-4fyg-vxpj-c7d7 |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 4 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 5 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 6 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 7 |
| vulnerability |
VCID-fdqs-v9b2-53gu |
|
| 8 |
| vulnerability |
VCID-fgtd-zx7r-rygb |
|
| 9 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 10 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 11 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 12 |
| vulnerability |
VCID-mgjg-juur-rfe5 |
|
| 13 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 14 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 15 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 16 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 17 |
| vulnerability |
VCID-uppk-66vw-gbb9 |
|
| 18 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 19 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.1 |
|
|
| aliases |
CVE-2020-8164, GHSA-8727-m6gj-mc37
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6z21-pd9d-pfgk |
|
| 8 |
| url |
VCID-8nkw-8mka-1ygk |
| vulnerability_id |
VCID-8nkw-8mka-1ygk |
| summary |
actionpack Improper Input Validation vulnerability
The `to_s` method in `actionpack/lib/action_dispatch/middleware/remote_ip.rb` in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-3187, GHSA-3vfw-7rcp-3xgm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8nkw-8mka-1ygk |
|
| 9 |
| url |
VCID-98gu-r7wd-cuah |
| vulnerability_id |
VCID-98gu-r7wd-cuah |
| summary |
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.
Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-98gu-r7wd-cuah |
|
| 10 |
| url |
VCID-9gqn-8g4t-wfby |
| vulnerability_id |
VCID-9gqn-8g4t-wfby |
| summary |
actionpack Cross-site Scripting vulnerability
The `sanitize_css` method in `lib/action_controller/vendor/html-scanner/html/sanitizer.rb` in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle `\n` (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.12 |
| purl |
pkg:gem/actionpack@3.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 4 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 5 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 6 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 7 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 8 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 9 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 10 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 11 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 12 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 13 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 14 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 15 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 16 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 17 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 18 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 19 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 20 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 21 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 22 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 23 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 24 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 25 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 26 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 27 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 28 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 29 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 30 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 31 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 32 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 33 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 34 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 35 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 36 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 37 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 38 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 39 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 40 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 41 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.12 |
|
| 1 |
| url |
pkg:gem/actionpack@3.2.13 |
| purl |
pkg:gem/actionpack@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 4 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 5 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 6 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 7 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 8 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 9 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 10 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 11 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 12 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 13 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 14 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 15 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 16 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 17 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 18 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 19 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 20 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 21 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 22 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 23 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 24 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 25 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 26 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 27 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 28 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 29 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 30 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 31 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 32 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 33 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 34 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 35 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 36 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 37 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 38 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 39 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 40 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 41 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 42 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 43 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.13 |
|
|
| aliases |
CVE-2013-1855, GHSA-q759-hwvc-m3jg, OSV-91452
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9gqn-8g4t-wfby |
|
| 11 |
| url |
VCID-a6wp-n5yh-ybcv |
| vulnerability_id |
VCID-a6wp-n5yh-ybcv |
| summary |
Improper Input Validation in actionpack
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
|
| aliases |
CVE-2008-7248, GHSA-8fqx-7pv4-3jwm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a6wp-n5yh-ybcv |
|
| 12 |
| url |
VCID-b4sv-b9pz-r7er |
| vulnerability_id |
VCID-b4sv-b9pz-r7er |
| summary |
actionview Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.22.3 |
| purl |
pkg:gem/actionpack@3.2.22.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 10 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 11 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 12 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 13 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 14 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 15 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 16 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 17 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 18 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 19 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 20 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 21 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 22 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 23 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 24 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 25 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.3 |
|
|
| aliases |
CVE-2016-6316, GHSA-pc3m-v286-2jwj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b4sv-b9pz-r7er |
|
| 13 |
| url |
VCID-bfbp-7umh-2fcp |
| vulnerability_id |
VCID-bfbp-7umh-2fcp |
| summary |
actionpack and activesupport vulnerable to information leaks
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3086, GHSA-fg9w-g6m4-557j
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bfbp-7umh-2fcp |
|
| 14 |
| url |
VCID-cs1f-uhb2-xkcm |
| vulnerability_id |
VCID-cs1f-uhb2-xkcm |
| summary |
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the simple_format helper in `actionpack/lib/action_view/helpers/text_helper.rb` in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.0 |
| purl |
pkg:gem/actionpack@3.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5a2t-fre4-zkay |
|
| 9 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 10 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 11 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 12 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 13 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 14 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 15 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 16 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 17 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 18 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 19 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 20 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 21 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 22 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 23 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 24 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 25 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 26 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 27 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 28 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 29 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 30 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 31 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 32 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 33 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 34 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 35 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 36 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 37 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 38 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 39 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 40 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 41 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 42 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 43 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 44 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 45 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 46 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.0 |
|
| 1 |
| url |
pkg:gem/actionpack@3.2.0 |
| purl |
pkg:gem/actionpack@3.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5a2t-fre4-zkay |
|
| 9 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 10 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 11 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 12 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 13 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 14 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 15 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 16 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 17 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 18 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 19 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 20 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 21 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 22 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 23 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 24 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 25 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 26 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 27 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 28 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 29 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 30 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 31 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 32 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 33 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 34 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 35 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 36 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 37 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 38 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 39 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 40 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 41 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 42 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 43 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 44 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 45 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 46 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 47 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 48 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 49 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.0 |
|
| 2 |
| url |
pkg:gem/actionpack@4.0.2 |
| purl |
pkg:gem/actionpack@4.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2 |
|
|
| aliases |
CVE-2013-6416, GHSA-w37c-q653-qg95, OSV-100526
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cs1f-uhb2-xkcm |
|
| 15 |
| url |
VCID-dd87-gevs-juhe |
| vulnerability_id |
VCID-dd87-gevs-juhe |
| summary |
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.
Impact
------
Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.
Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches! |
| references |
| 0 |
|
| 1 |
| reference_url |
https://access.redhat.com/security/cve/cve-2024-41128 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/ |
|
|
| url |
https://access.redhat.com/security/cve/cve-2024-41128 |
|
| 2 |
|
| 3 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2319036 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2319036 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/rails/rails |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rails/rails |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T17:09:25Z/ |
|
|
| url |
https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-41128, GHSA-x76w-6vjr-8xgj
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dd87-gevs-juhe |
|
| 16 |
| url |
VCID-eeru-6pyc-8bcd |
| vulnerability_id |
VCID-eeru-6pyc-8bcd |
| summary |
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.
Impact
------
For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
Users on Ruby 3.2 are unaffected by this issue.
Credits
-------
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-47887, GHSA-vfg9-r3fq-jvx4
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eeru-6pyc-8bcd |
|
| 17 |
| url |
VCID-ejgq-s79w-abd6 |
| vulnerability_id |
VCID-ejgq-s79w-abd6 |
| summary |
rails Cross-site Scripting vulnerability
The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2197, GHSA-v9v4-7jp6-8c73
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ejgq-s79w-abd6 |
|
| 18 |
| url |
VCID-g13k-qvy7-q3fk |
| vulnerability_id |
VCID-g13k-qvy7-q3fk |
| summary |
Rails actionpack gem vulnerable to Cross-site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in the `mail_to` helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0446, GHSA-75w6-p6mg-vh8j
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g13k-qvy7-q3fk |
|
| 19 |
| url |
VCID-g2a6-uem4-uuce |
| vulnerability_id |
VCID-g2a6-uem4-uuce |
| summary |
actionpack Cross-Site Request Forgery vulnerability
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0447, GHSA-24fg-p96v-hxh8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g2a6-uem4-uuce |
|
| 20 |
| url |
VCID-hh65-ycrj-d7gz |
| vulnerability_id |
VCID-hh65-ycrj-d7gz |
| summary |
actionpack Path Traversal vulnerability
Directory traversal vulnerability in `actionpack/lib/abstract_controller/base.rb` in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
http://rhn.redhat.com/errata/RHSA-2014-1863.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:25:09Z/ |
|
|
| url |
http://rhn.redhat.com/errata/RHSA-2014-1863.html |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.18 |
| purl |
pkg:gem/actionpack@3.2.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 19 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 32 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 33 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.18 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.5 |
| purl |
pkg:gem/actionpack@4.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 31 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 32 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.5 |
|
| 2 |
| url |
pkg:gem/actionpack@4.1.1 |
| purl |
pkg:gem/actionpack@4.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 31 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 32 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.1 |
|
|
| aliases |
CVE-2014-0130, GHSA-6x85-j5j2-27jx
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hh65-ycrj-d7gz |
|
| 21 |
| url |
VCID-jpj6-wzp3-m3e4 |
| vulnerability_id |
VCID-jpj6-wzp3-m3e4 |
| summary |
actionpack Improper Input Validation vulnerability
`actionpack/lib/action_view/template/text.rb` in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the `:text` option to the `render` method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.17 |
| purl |
pkg:gem/actionpack@3.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 20 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 21 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 22 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 23 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 24 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 25 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 26 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 27 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 28 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 29 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 30 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 31 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.17 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.0.beta1 |
| purl |
pkg:gem/actionpack@4.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 6 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 10 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 14 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 15 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 16 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 17 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 18 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 19 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 20 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 21 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 22 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 23 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 24 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 25 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 26 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 27 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 28 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 29 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 30 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 31 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 32 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 33 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 34 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 35 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 36 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 37 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 38 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 39 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 40 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.0.beta1 |
|
| 2 |
| url |
pkg:gem/actionpack@4.0.0 |
| purl |
pkg:gem/actionpack@4.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 4 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 5 |
| vulnerability |
VCID-5az9-zqff-5kav |
|
| 6 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 7 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 8 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 9 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 10 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 11 |
| vulnerability |
VCID-8p57-4fhz-v3gh |
|
| 12 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 13 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 14 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 15 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 16 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 17 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 18 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 19 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 20 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 21 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 22 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 23 |
| vulnerability |
VCID-hvua-jhzn-97fr |
|
| 24 |
| vulnerability |
VCID-k651-yq6k-cyc9 |
|
| 25 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 26 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 27 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 28 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 29 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 30 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 31 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 32 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 33 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 34 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 35 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 36 |
| vulnerability |
VCID-p2yz-5pzq-nyag |
|
| 37 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 38 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 39 |
| vulnerability |
VCID-rnnm-ck7u-fydy |
|
| 40 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 41 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 42 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 43 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 44 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 45 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 46 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 47 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.0 |
|
|
| aliases |
CVE-2014-0082, GHSA-7cgp-c3g7-qvrw, OSV-103440
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jpj6-wzp3-m3e4 |
|
| 22 |
| url |
VCID-k6aw-heeb-wke2 |
| vulnerability_id |
VCID-k6aw-heeb-wke2 |
| summary |
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k6aw-heeb-wke2 |
|
| 23 |
| url |
VCID-kshz-ckjc-77ab |
| vulnerability_id |
VCID-kshz-ckjc-77ab |
| summary |
tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-27777, GHSA-ch3h-j2vf-95pv, GMS-2022-1138
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kshz-ckjc-77ab |
|
| 24 |
|
| 25 |
| url |
VCID-mnh7-4rvx-suay |
| vulnerability_id |
VCID-mnh7-4rvx-suay |
| summary |
Action Pack contains database-query restrictions bypass
`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain `[nil]` values, a related issue to CVE-2012-2694. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.5 |
| purl |
pkg:gem/actionpack@3.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 9 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 10 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 11 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 12 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 13 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 14 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 15 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 16 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 17 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 18 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 19 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 20 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 21 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 22 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 23 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 24 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 25 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 26 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 27 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 28 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 29 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 30 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 31 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 32 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 33 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 34 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 35 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 36 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 37 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 38 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 39 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 40 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 41 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 42 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 43 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 44 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 45 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.5 |
|
| 1 |
| url |
pkg:gem/actionpack@3.2.4 |
| purl |
pkg:gem/actionpack@3.2.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-1xbd-73qv-mff9 |
|
| 3 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 4 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 5 |
| vulnerability |
VCID-4bzb-ft3d-dkgg |
|
| 6 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 7 |
| vulnerability |
VCID-58sa-6uag-z7hp |
|
| 8 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 9 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 10 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 11 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 12 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 13 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 14 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 15 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 16 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 17 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 18 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 19 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 20 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 21 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 22 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 23 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 24 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 25 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 26 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 27 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 28 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 29 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 30 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 31 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 32 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 33 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 34 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 35 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 36 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 37 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 38 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 39 |
| vulnerability |
VCID-rgw4-mrr9-euda |
|
| 40 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 41 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 42 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 43 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 44 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 45 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 46 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 47 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.4 |
|
|
| aliases |
CVE-2012-2660, GHSA-hgpp-pp89-4fgf, OSV-82610
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mnh7-4rvx-suay |
|
| 26 |
| url |
VCID-n7ga-1sx4-yfcv |
| vulnerability_id |
VCID-n7ga-1sx4-yfcv |
| summary |
rubygem-actionpack: Possible Open Redirect Vulnerability in Action Pack |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@6.1.3.2 |
| purl |
pkg:gem/actionpack@6.1.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 1 |
| vulnerability |
VCID-b7z5-h1bw-tya9 |
|
| 2 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 3 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 4 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 5 |
| vulnerability |
VCID-fdqs-v9b2-53gu |
|
| 6 |
| vulnerability |
VCID-fgtd-zx7r-rygb |
|
| 7 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 8 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 9 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 10 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 11 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 12 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 13 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2 |
|
|
| aliases |
CVE-2021-22903, GHSA-5hq2-xf89-9jxq
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n7ga-1sx4-yfcv |
|
| 27 |
| url |
VCID-n7kh-9mpq-13c7 |
| vulnerability_id |
VCID-n7kh-9mpq-13c7 |
| summary |
Cross site scripting that affects rails
Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2009-3009, GHSA-8qrh-h9m2-5fvf, OSV-57666
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n7kh-9mpq-13c7 |
|
| 28 |
| url |
VCID-nax4-x97j-9fgr |
| vulnerability_id |
VCID-nax4-x97j-9fgr |
| summary |
actionpack Improper Input Validation vulnerability
`actionpack/lib/action_view/lookup_context.rb` in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.16 |
| purl |
pkg:gem/actionpack@3.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 20 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 21 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 22 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 23 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 24 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 25 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 26 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 27 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 28 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 29 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 30 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 31 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 32 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 33 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 34 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 35 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 36 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.2 |
| purl |
pkg:gem/actionpack@4.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2 |
|
|
| aliases |
CVE-2013-6414, GHSA-mpxf-gcw2-pw5q, OSV-100525
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nax4-x97j-9fgr |
|
| 29 |
|
| 30 |
| url |
VCID-nnka-c23v-qub7 |
| vulnerability_id |
VCID-nnka-c23v-qub7 |
| summary |
actionpack vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the `number_to_currency` helper in `actionpack/lib/action_view/helpers/number_helper.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.16 |
| purl |
pkg:gem/actionpack@3.2.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 20 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 21 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 22 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 23 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 24 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 25 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 26 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 27 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 28 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 29 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 30 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 31 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 32 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 33 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 34 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 35 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 36 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.16 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.2 |
| purl |
pkg:gem/actionpack@4.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.2 |
|
|
| aliases |
CVE-2013-6415, GHSA-6h5q-96hp-9jgm, OSV-100524
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nnka-c23v-qub7 |
|
| 31 |
| url |
VCID-p1yd-keq8-rkh3 |
| vulnerability_id |
VCID-p1yd-keq8-rkh3 |
| summary |
actionpack Cross-site Scripting vulnerability
Cross-site scripting (XSS) vulnerability in the `strip_tags` helper in `actionpack/lib/action_controller/vendor/html-scanner/html/node.rb` in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-2931, GHSA-v5jg-558j-q67c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p1yd-keq8-rkh3 |
|
| 32 |
| url |
VCID-qth9-abgp-wyaq |
| vulnerability_id |
VCID-qth9-abgp-wyaq |
| summary |
Possible Content Security Policy bypass in Action Dispatch
There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack.
Impact
------
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Credits
-------
Thanks to [ryotak](https://hackerone.com/ryotak) for the report! |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-54133, GHSA-vfm5-rmrh-j26v
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qth9-abgp-wyaq |
|
| 33 |
| url |
VCID-r6mr-ay8d-nqdd |
| vulnerability_id |
VCID-r6mr-ay8d-nqdd |
| summary |
actionpack is vulnerable to denial of service via a crafted HTTP Accept header
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.22.1 |
| purl |
pkg:gem/actionpack@3.2.22.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 10 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 11 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 12 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 13 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 14 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 15 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 16 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 27 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 28 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 29 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.1 |
|
| 1 |
| url |
pkg:gem/actionpack@4.1.14.1 |
| purl |
pkg:gem/actionpack@4.1.14.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 26 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 27 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 28 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.1 |
|
| 2 |
| url |
pkg:gem/actionpack@4.2.5.1 |
| purl |
pkg:gem/actionpack@4.2.5.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 18 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 19 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 20 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 21 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 22 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 23 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 24 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 25 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 26 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 27 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.5.1 |
|
| 3 |
| url |
pkg:gem/actionpack@5.0.0.beta1.1 |
| purl |
pkg:gem/actionpack@5.0.0.beta1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 10 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 11 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 12 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 13 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 14 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 15 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 16 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 17 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 18 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 19 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 20 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 21 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 22 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 23 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 24 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 25 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.0.0.beta1.1 |
|
|
| aliases |
CVE-2016-0751, GHSA-ffpv-c4hm-3x6v
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r6mr-ay8d-nqdd |
|
| 34 |
| url |
VCID-sg9h-7dqr-xugu |
| vulnerability_id |
VCID-sg9h-7dqr-xugu |
| summary |
actionpack vulnerable to Path Traversal
Directory traversal vulnerability in `actionpack/lib/action_dispatch/middleware/static.rb` in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when `serve_static_assets` is enabled, allows remote attackers to determine the existence of files outside the application root via a `/..%2F` sequence. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.20 |
| purl |
pkg:gem/actionpack@3.2.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 19 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 31 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 32 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.20 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.11 |
| purl |
pkg:gem/actionpack@4.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.11 |
|
| 2 |
| url |
pkg:gem/actionpack@4.1.0.beta1 |
| purl |
pkg:gem/actionpack@4.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 31 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 32 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 33 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.0.beta1 |
|
| 3 |
| url |
pkg:gem/actionpack@4.1.7 |
| purl |
pkg:gem/actionpack@4.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.7 |
|
| 4 |
| url |
pkg:gem/actionpack@4.2.0.beta1 |
| purl |
pkg:gem/actionpack@4.2.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 26 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.0.beta1 |
|
| 5 |
| url |
pkg:gem/actionpack@4.2.0.beta3 |
| purl |
pkg:gem/actionpack@4.2.0.beta3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 26 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 27 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 28 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 29 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 30 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.0.beta3 |
|
|
| aliases |
CVE-2014-7818, GHSA-29gr-w57f-rpfw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sg9h-7dqr-xugu |
|
| 35 |
| url |
VCID-v2hk-dfbe-5khc |
| vulnerability_id |
VCID-v2hk-dfbe-5khc |
| summary |
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.
Versions Affected: >= 7.1.0, < 7.1.3.1
Not affected: < 7.1.0
Fixed Versions: 7.1.3.1
Impact
------
Carefully crafted Accept headers can cause Accept header parsing in Action
Dispatch to take an unexpected amount of time, possibly resulting in a DoS
vulnerability. All users running an affected release should either upgrade or
use one of the workarounds immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby
3.2 or newer are unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 7-1-accept-redox.patch - Patch for 7.1 series
Credits
-------
Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch! |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-26142, GHSA-jjhx-jhvp-74wq
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v2hk-dfbe-5khc |
|
| 36 |
| url |
VCID-v3u5-6bpb-qfgf |
| vulnerability_id |
VCID-v3u5-6bpb-qfgf |
| summary |
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.21 |
| purl |
pkg:gem/actionpack@3.2.21 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 19 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.21 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.11.1 |
| purl |
pkg:gem/actionpack@4.0.11.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 29 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 30 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.11.1 |
|
| 2 |
| url |
pkg:gem/actionpack@4.0.12 |
| purl |
pkg:gem/actionpack@4.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.12 |
|
| 3 |
| url |
pkg:gem/actionpack@4.1.0.beta1 |
| purl |
pkg:gem/actionpack@4.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 31 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 32 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 33 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.0.beta1 |
|
| 4 |
| url |
pkg:gem/actionpack@4.1.7.1 |
| purl |
pkg:gem/actionpack@4.1.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 29 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 30 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.7.1 |
|
| 5 |
| url |
pkg:gem/actionpack@4.1.8 |
| purl |
pkg:gem/actionpack@4.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.8 |
|
| 6 |
| url |
pkg:gem/actionpack@4.2.0.beta1 |
| purl |
pkg:gem/actionpack@4.2.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 26 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 27 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 28 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 29 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 30 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 31 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.0.beta1 |
|
| 7 |
| url |
pkg:gem/actionpack@4.2.0.beta4 |
| purl |
pkg:gem/actionpack@4.2.0.beta4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 26 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 27 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 28 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 29 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 30 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.0.beta4 |
|
|
| aliases |
CVE-2014-7829, GHSA-h56m-vwxc-3qpw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v3u5-6bpb-qfgf |
|
| 37 |
| url |
VCID-vhjv-9864-tbcs |
| vulnerability_id |
VCID-vhjv-9864-tbcs |
| summary |
actionpack Cross-site Scripting vulnerability
The sanitize helper in `lib/action_controller/vendor/html-scanner/html/sanitizer.rb` in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded `:` (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a `:` sequence. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.1.12 |
| purl |
pkg:gem/actionpack@3.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 4 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 5 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 6 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 7 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 8 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 9 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 10 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 11 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 12 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 13 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 14 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 15 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 16 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 17 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 18 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 19 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 20 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 21 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 22 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 23 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 24 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 25 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 26 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 27 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 28 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 29 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 30 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 31 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 32 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 33 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 34 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 35 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 36 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 37 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 38 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 39 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 40 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 41 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.1.12 |
|
| 1 |
| url |
pkg:gem/actionpack@3.2.13 |
| purl |
pkg:gem/actionpack@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-3rn4-abmh-nkhv |
|
| 4 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 5 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 6 |
| vulnerability |
VCID-5psk-hzaf-1kbz |
|
| 7 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 8 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 9 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 10 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 11 |
| vulnerability |
VCID-9gqn-8g4t-wfby |
|
| 12 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 13 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 14 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 15 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 16 |
| vulnerability |
VCID-cs1f-uhb2-xkcm |
|
| 17 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 18 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 19 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 20 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 21 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 22 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 23 |
| vulnerability |
VCID-jpj6-wzp3-m3e4 |
|
| 24 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 25 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 26 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 27 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 28 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 29 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 30 |
| vulnerability |
VCID-nax4-x97j-9fgr |
|
| 31 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 32 |
| vulnerability |
VCID-nnka-c23v-qub7 |
|
| 33 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 34 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 35 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 36 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 37 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 38 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 39 |
| vulnerability |
VCID-vhjv-9864-tbcs |
|
| 40 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 41 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 42 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 43 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.13 |
|
|
| aliases |
CVE-2013-1857, GHSA-j838-vfpq-fmf2, OSV-91454
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vhjv-9864-tbcs |
|
| 38 |
| url |
VCID-vs1a-m7ya-rue8 |
| vulnerability_id |
VCID-vs1a-m7ya-rue8 |
| summary |
Rails vulnerable to Cross-site Scripting
There is an XSS vulnerability in the `number_to_currency`, `number_to_percentage` and `number_to_human` helpers in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0081.
Versions Affected: All.
Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17.
Impact
------
These helpers allows users to nicely format a numeric value. Some of the parameters to the helper (format, negative_format and units) are not escaped correctly. Applications which pass user controlled data as one of these parameters are vulnerable to an XSS attack.
All users passing user controlled data to these parameters of the number helpers should either upgrade or use one of the workarounds immediately.
Releases
--------
The 4.1.0.rc1, 4.0.3 and 3.2.17 releases are available at the normal locations.
Workarounds
-----------
The workaround for this issue is to escape the value passed to the parameter.
For example, replace code like this:
```ruby
<%= number_to_currency(1.02, format: params[:format]) %>
```
With code like this
```ruby
<%= number_to_currency(1.02, format: h(params[:format])) %>
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
* 4-1-beta-number_helpers_xss.patch - Patch for 4.1-beta series
* 4-0-number_helpers_xss.patch - Patch for 4.0 series
* 3-2-number_helpers_xss.patch - Patch for 3.2 series
Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
-------
Thanks to Kevin Reintjes for reporting the issue to us.
--
Aaron Patterson
http://tenderlovemaking.com/ |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.17 |
| purl |
pkg:gem/actionpack@3.2.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 7 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 8 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 9 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 10 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 11 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 12 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 13 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 14 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 15 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 16 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 17 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 18 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 19 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 20 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 21 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 22 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 23 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 24 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 25 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 26 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 27 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 28 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 29 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 30 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 31 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 32 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 33 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 34 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.17 |
|
| 1 |
| url |
pkg:gem/actionpack@4.0.3 |
| purl |
pkg:gem/actionpack@4.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-hh65-ycrj-d7gz |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 20 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 21 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 22 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 23 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 24 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 25 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 26 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 27 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 28 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 29 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 30 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 31 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 32 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 33 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.0.3 |
|
| 2 |
| url |
pkg:gem/actionpack@4.1.0.beta1 |
| purl |
pkg:gem/actionpack@4.1.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-vs1a-m7ya-rue8 |
|
| 31 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 32 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 33 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.0.beta1 |
|
| 3 |
| url |
pkg:gem/actionpack@4.1.1 |
| purl |
pkg:gem/actionpack@4.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-123f-6px7-3qdg |
|
| 1 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 2 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 3 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 4 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 5 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m156-zkzd-57g9 |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-r6mr-ay8d-nqdd |
|
| 27 |
| vulnerability |
VCID-sg9h-7dqr-xugu |
|
| 28 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 29 |
| vulnerability |
VCID-v3u5-6bpb-qfgf |
|
| 30 |
| vulnerability |
VCID-y13c-awe3-2bc1 |
|
| 31 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 32 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.1 |
|
|
| aliases |
CVE-2014-0081, GHSA-m46p-ggm5-5j83, OSV-103439
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vs1a-m7ya-rue8 |
|
| 39 |
| url |
VCID-y13c-awe3-2bc1 |
| vulnerability_id |
VCID-y13c-awe3-2bc1 |
| summary |
actionpack is vulnerable to remote bypass authentication
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@3.2.22.1 |
| purl |
pkg:gem/actionpack@3.2.22.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-b4sv-b9pz-r7er |
|
| 10 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 11 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 12 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 13 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 14 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 15 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 16 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 17 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 18 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 19 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 20 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 21 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 22 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 23 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 24 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 25 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 26 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 27 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 28 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 29 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@3.2.22.1 |
|
| 1 |
| url |
pkg:gem/actionpack@4.1.14.1 |
| purl |
pkg:gem/actionpack@4.1.14.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-832g-x9kb-3bbx |
|
| 6 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 7 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 8 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 9 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 10 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 11 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 12 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 13 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 14 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 15 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 16 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 17 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 18 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 19 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 20 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 21 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 22 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 23 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 24 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 25 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 26 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 27 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 28 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.1.14.1 |
|
| 2 |
| url |
pkg:gem/actionpack@4.2.5.1 |
| purl |
pkg:gem/actionpack@4.2.5.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-brwd-e9kx-xuc2 |
|
| 10 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 11 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 12 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 13 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 14 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 15 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 16 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 17 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 18 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 19 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 20 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 21 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 22 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 23 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 24 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 25 |
| vulnerability |
VCID-v4sh-tkkf-xfeh |
|
| 26 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 27 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@4.2.5.1 |
|
| 3 |
| url |
pkg:gem/actionpack@5.0.0.beta1.1 |
| purl |
pkg:gem/actionpack@5.0.0.beta1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1b9z-efz6-9fdu |
|
| 1 |
| vulnerability |
VCID-3edd-m27s-a3ek |
|
| 2 |
| vulnerability |
VCID-4w1v-z4zj-6ydp |
|
| 3 |
| vulnerability |
VCID-5pfg-7ntp-eff4 |
|
| 4 |
| vulnerability |
VCID-6z21-pd9d-pfgk |
|
| 5 |
| vulnerability |
VCID-8nkw-8mka-1ygk |
|
| 6 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 7 |
| vulnerability |
VCID-a6wp-n5yh-ybcv |
|
| 8 |
| vulnerability |
VCID-bfbp-7umh-2fcp |
|
| 9 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 10 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 11 |
| vulnerability |
VCID-ejgq-s79w-abd6 |
|
| 12 |
| vulnerability |
VCID-g13k-qvy7-q3fk |
|
| 13 |
| vulnerability |
VCID-g2a6-uem4-uuce |
|
| 14 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 15 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 16 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 17 |
| vulnerability |
VCID-mnh7-4rvx-suay |
|
| 18 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 19 |
| vulnerability |
VCID-n7kh-9mpq-13c7 |
|
| 20 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 21 |
| vulnerability |
VCID-p1yd-keq8-rkh3 |
|
| 22 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 23 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
| 24 |
| vulnerability |
VCID-z16b-zfgu-13a9 |
|
| 25 |
| vulnerability |
VCID-zapd-uts9-zfch |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.0.0.beta1.1 |
|
|
| aliases |
CVE-2015-7576, GHSA-p692-7mm3-3fxg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y13c-awe3-2bc1 |
|
| 40 |
| url |
VCID-z16b-zfgu-13a9 |
| vulnerability_id |
VCID-z16b-zfgu-13a9 |
| summary |
rails: Possible DoS Vulnerability in Action Controller Token Authentication |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/actionpack@5.2.4.6 |
| purl |
pkg:gem/actionpack@5.2.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 1 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 2 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 3 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 4 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 5 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 6 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 7 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 8 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 9 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 10 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 11 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.4.6 |
|
| 1 |
| url |
pkg:gem/actionpack@5.2.6 |
| purl |
pkg:gem/actionpack@5.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 1 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 2 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 3 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 4 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 5 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 6 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 7 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 8 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 9 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 10 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 11 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@5.2.6 |
|
| 2 |
| url |
pkg:gem/actionpack@6.0.3.7 |
| purl |
pkg:gem/actionpack@6.0.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 1 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 2 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 3 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 4 |
| vulnerability |
VCID-fdqs-v9b2-53gu |
|
| 5 |
| vulnerability |
VCID-fgtd-zx7r-rygb |
|
| 6 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 7 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 8 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 9 |
| vulnerability |
VCID-n7ga-1sx4-yfcv |
|
| 10 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 11 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 12 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 13 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.0.3.7 |
|
| 3 |
| url |
pkg:gem/actionpack@6.1.3.2 |
| purl |
pkg:gem/actionpack@6.1.3.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-98gu-r7wd-cuah |
|
| 1 |
| vulnerability |
VCID-b7z5-h1bw-tya9 |
|
| 2 |
| vulnerability |
VCID-be5x-uyc6-sudm |
|
| 3 |
| vulnerability |
VCID-dd87-gevs-juhe |
|
| 4 |
| vulnerability |
VCID-eeru-6pyc-8bcd |
|
| 5 |
| vulnerability |
VCID-fdqs-v9b2-53gu |
|
| 6 |
| vulnerability |
VCID-fgtd-zx7r-rygb |
|
| 7 |
| vulnerability |
VCID-k6aw-heeb-wke2 |
|
| 8 |
| vulnerability |
VCID-kshz-ckjc-77ab |
|
| 9 |
| vulnerability |
VCID-m9ud-s6w6-x7ac |
|
| 10 |
| vulnerability |
VCID-nmz3-ux68-dkfd |
|
| 11 |
| vulnerability |
VCID-qth9-abgp-wyaq |
|
| 12 |
| vulnerability |
VCID-re7g-rxbm-dbd9 |
|
| 13 |
| vulnerability |
VCID-v2hk-dfbe-5khc |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@6.1.3.2 |
|
|
| aliases |
CVE-2021-22904, GHSA-7wjx-3g7j-8584
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z16b-zfgu-13a9 |
|
| 41 |
| url |
VCID-zapd-uts9-zfch |
| vulnerability_id |
VCID-zapd-uts9-zfch |
| summary |
actionpack allows remote attackers to bypass intended access restrictions
`actionpack/lib/action_view/template/resolver.rb` in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action name that uses an unintended case for alphabetic characters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2011-0449, GHSA-4ww3-3rxj-8v6q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zapd-uts9-zfch |
|